CVE-2021-41236

XSS vulnerability in oro/platform

CVSS 6.9 MEDIUMEPSS 0.7%CWE-79

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.9EPSS 0.7%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

04 Jan 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

OroPlatform is a PHP Business Application Platform. In affected versions the email template preview is vulnerable to XSS payload added to email template content. An attacker must have permission to create or edit an email template. For successful payload, execution the attacked user must preview a vulnerable email template. There are no workarounds that address this vulnerability. Users are advised to upgrade as soon as is possible.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Affected products

oroinc · platform

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/oroinc/platform/commit/2a089c971fc70bc63baf8770d29ee515ce5a415a https://github.com/oroinc/platform/security/advisories/GHSA-qv7g-j98v-8pp7