CVE-2021-35210

{"id": "CVE-2021-35210", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2021-06-23T11:15:08.170", "references": [{"url": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-system-log-2021.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/contao/contao/security/advisories/GHSA-h58v-c6rf-g9f7", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end."}, {"lang": "es", "value": "Contao versiones 4.5.x hasta 4.9.x anteriores a 4.9.16, y versiones 4.10.x hasta 4.11.x anteriores a 4.11.5, permite un ataque de tipo XSS. Es posible inyectar c\u00f3digo en la tabla tl_log que ser\u00e1 ejecutada en el navegador cuando el registro del sistema es llamado en el back end"}], "lastModified": "2021-06-29T19:14:56.493", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB94BB9F-A64C-4ECD-8EBB-86BF97681CA3", "versionEndExcluding": "4.9.16", "versionStartIncluding": "4.5.0"}, {"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB7BCDE1-3E94-4738-B3DF-B96A508A5585", "versionEndExcluding": "4.11.5", "versionStartIncluding": "4.10.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}