Several stored XSS
CVE-2021-21319

6.8MEDIUM

Key Information:

Vendor

Galette

Status
Galette
Vendor
CVE Published:
25 October 2021

What is CVE-2021-21319?

Galette is a membership management web application geared towards non profit organizations. In versions prior to 0.9.5, malicious javascript code can be stored to be displayed later on self subscription page. The self subscription feature can be disabled as a workaround (this is the default state). Malicious javascript code can be executed (not stored) on login and retrieve password pages. This issue is patched in version 0.9.5.

Affected Version(s)

galette < 0.9.5

References

https://github.com/galette/galette/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/galette/galette/commit/514418da973ae5b...
x_refsource_MISC
https://github.com/galette/galette/commit/8f3bdd9f7d07084...
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2021-21319 : Several stored XSS