Vulnerability Description
The Deluge Web-UI is vulnerable to XSS through a crafted torrent file. The the data from torrent files is not properly sanitised as it's interpreted directly as HTML. Someone who supplies the user with a malicious torrent file can execute arbitrary Javascript code in the context of the user's browser session.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Deluge-Torrent | Deluge | < 2.1.0 |
Related Weaknesses (CWE)
References
- https://dev.deluge-torrent.org/ticket/3459ExploitIssue TrackingPatch
- https://groups.google.com/g/deluge-dev/c/e5zh7wT0rEgExploitIssue TrackingMailing List
- https://security.gentoo.org/glsa/202210-07Third Party Advisory
- https://dev.deluge-torrent.org/ticket/3459ExploitIssue TrackingPatch
- https://groups.google.com/g/deluge-dev/c/e5zh7wT0rEgExploitIssue TrackingMailing List
- https://security.gentoo.org/glsa/202210-07Third Party Advisory
FAQ
What is CVE-2021-3427?
CVE-2021-3427 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The Deluge Web-UI is vulnerable to XSS through a crafted torrent file. The the data from torrent files is not properly sanitised as it's interpreted directly as HTML. Someone who supplies the user wit...
How severe is CVE-2021-3427?
CVE-2021-3427 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-3427?
Check the references section above for vendor advisories and patch information. Affected products include: Deluge-Torrent Deluge.