Vulnerability Description
A Cross Site Scriptiong (XSS) vulnerability exists in the admin panel in Webuzo < 2.9.0 via an HTTP request to a non-existent page, which is activated by administrators viewing the "Error Log" page. An attacker can leverage this to achieve Unauthenticated Remote Code Execution via the "Cron Jobs" functionality of Webuzo.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Webuzo | Webuzo | < 2.9.0 |
Related Weaknesses (CWE)
References
- https://gist.github.com/omriinbar/5a24ccc2127ac61b6d9872c9405ebc8eThird Party Advisory
- https://www.webuzo.com/blog/webuzo-2-9-0-launched/Release NotesVendor Advisory
- https://gist.github.com/omriinbar/5a24ccc2127ac61b6d9872c9405ebc8eThird Party Advisory
- https://www.webuzo.com/blog/webuzo-2-9-0-launched/Release NotesVendor Advisory
FAQ
What is CVE-2021-40238?
CVE-2021-40238 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A Cross Site Scriptiong (XSS) vulnerability exists in the admin panel in Webuzo < 2.9.0 via an HTTP request to a non-existent page, which is activated by administrators viewing the "Error Log" page. A...
How severe is CVE-2021-40238?
CVE-2021-40238 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-40238?
Check the references section above for vendor advisories and patch information. Affected products include: Webuzo Webuzo.