Stored XSS in PluXML Article Editing Feature
CVE-2021-38602

4.8MEDIUM

Key Information:

Vendor: Pluxml
Status: Pluxml
Vendor: CVE Published:; 12 August 2021

Badges

👾 Exploit Exists

What is CVE-2021-38602?

A vulnerability in PluXML version 5.8.7 allows attackers to execute stored cross-site scripting (XSS) attacks via manipulated headlines or content in articles. This exploitation occurs during article editing, where the input is not properly sanitized, leading to potential unauthorized actions and data exposure. Users are encouraged to review the changelog and apply necessary updates to mitigate these risks.

References

https://pluxml.org/download/changelog.txt

x_refsource_MISC

https://github.com/KielVaughn/CVE-2021-38602

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Aug 12, 2021
👾
Exploit known to exist
Aug 12, 2021
Vulnerability published
Aug 12, 2021
Vulnerability Reserved
Aug 12, 2021

JSON

Pluxml

Badges

What is CVE-2021-38602?

References

CVSS V3.1

Timeline