Attacker Value
Moderate
CVE-2021-39609
CVE-2021-39609
(Last updated October 07, 2023) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Discovery
Techniques
Validation
Description
Cross Site Scripting (XSS) vulnerability exiss in FlatCore-CMS 2.0.7 via the upload image function.
Add Assessment
2
Technical Analysis
Description:
Cross-Site Scripting (XSS SVG – Stored – PWNED PHPSESSID RCE) vulnerability exists in FlatCore-CMS 2.0.7 via the upload image function.
When the malicious user trick the administrator of the CMS system to upload the malicious SVG file, then
he can be already executed this code from everywhere on the internet, and the thing will be more worst than ever for the owner of this CMS system! ;)
Reproduce:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-39609
Proof:
Proof: PHPSESSID PWNED
1
Considering other users considered this to be a higher risk vulnerability, please provide more details on why you think this is a low risk vulnerability for comparison.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
5.4 Medium
Impact Score:
2.7
Exploitability Score:
2.3
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
None
General Information
Vendors
- flatcore
Products
- flatcore-cms 2.0.7
