CVE-2021-25978 – apostrophe

Package

Manager: npm
Name: apostrophe
Vulnerable Version: >=2.63.0 <3.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00206 pctl0.42961

Details

Cross-site Scripting in apostrophe Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.

Metadata

Created: 2021-11-10T16:45:34Z
Modified: 2021-11-08T21:26:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-4r9c-jghc-cx5m/GHSA-4r9c-jghc-cx5m.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-4r9c-jghc-cx5m
Finding: F425
Auto approve: 1