Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2021-43141

Disclosure Date: November 03, 2021 •

CVE-2021-43141 CVSS v3 Base Score: 6.1

Exploited in the Wild

Reported by JK604080148
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Execution

Techniques

Validation

Command and Scripting Interpreter: Python

Validated

Exploitation for Client Execution

Validated

Privilege Escalation

Techniques

Validation

Process Injection: Process Hollowing

Validated

Exploitation for Privilege Escalation

Validated

Valid Accounts: Default Accounts

Validated

Description

Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Simple Subscription Website 1.0 via the id parameter in plan_application.

Add Assessment

nu11secur1ty (198)

November 20, 2021 8:47am UTC (3 years ago)•

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Vulnerable in default configuration

Technical Analysis

Description:

Cross-Site Scripting (XSS) vulnerability exists in Sourcecodester Simple Subscription Website 1.0 via the id parameter in plan_application and users_application.
The attacker can use SQL – Injection bypass Authentication method to log in to the admin account of the system and then he can exploit this account by using XSS-Stored to attack and exploit the account, and then he can use remote requests to hijack PHPSESSID and can exploit this account and users into it by using an XSS-Stored method!
Conclusion: The status of this system is CRITICAL and awful, and this must be stopped immediately for distribution!

Action:

Reproduce:

href

Proof and exploit:

href

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

6.1 Medium

Impact Score:

2.7

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Changed

Confidentiality (C):

Low

Integrity (I):

Low

Availability (A):

None

Vendors

simple subscription website project

Products

simple subscription website 1.0

Exploited in the Wild

Reported by:

JK604080148

Reported: July 14, 2022 8:03am UTC (2 years ago)

References

Canonical

CVE-2021-43141 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43141)

Miscellaneous

https://github.com/Dir0x/CVE-2021-43141

https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-43141

https://www.nu11secur1ty.com/2021/11/cve-2021-43141.html

https://streamable.com/8gydfs

Rapid7

Very High

CVE-2021-43141

Very High

Very High

Required

None

Network

CVE-2021-43141

Description

Add Assessment

Ratings

Technical Analysis

CVE-2021-43141

Vendor

Description:

Action:

Reproduce:

Proof and exploit:

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Very High

CVE-2021-43141

Very High

Very High

Required

None

Network

CVE-2021-43141

Description

Add Assessment

Ratings

Technical Analysis

CVE-2021-43141

Vendor

Description:

Action:

Reproduce:

Proof and exploit:

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification