CVE-2021-31930
Last modified
CVE-2021-31930 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. Persistent cross-site scripting (XSS) in the web interface of Concerto through 2.3.6 allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the First Name or Last Name parameter upon registration. When a privileged user attempts to delete the account, the XSS payload will be executed.. EPSS estimates a 0.92% chance of exploitation in the next 30 days.
Description
Persistent cross-site scripting (XSS) in the web interface of Concerto through 2.3.6 allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the First Name or Last Name parameter upon registration. When a privileged user attempts to delete the account, the XSS payload will be executed.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Concerto-Signage | Concerto | <= 2.3.6 |
References
- https://github.com/concerto/concerto/pull/1558Third Party Advisory
- https://github.com/concerto/concerto/security/advisoriesThird Party Advisory
- https://github.com/concerto/concerto/pull/1558Third Party Advisory
- https://github.com/concerto/concerto/security/advisoriesThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-31930?
How severe is CVE-2021-31930?
How do I fix CVE-2021-31930?
Are you affected by CVE-2021-31930?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST