Vulnerability Description
OroPlatform is a PHP Business Application Platform. In affected versions the email template preview is vulnerable to XSS payload added to email template content. An attacker must have permission to create or edit an email template. For successful payload, execution the attacked user must preview a vulnerable email template. There are no workarounds that address this vulnerability. Users are advised to upgrade as soon as is possible.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oroinc | Oroplatform | >= 3.1.0, < 3.1.21 |
Related Weaknesses (CWE)
References
- https://github.com/oroinc/platform/commit/2a089c971fc70bc63baf8770d29ee515ce5a41PatchThird Party Advisory
- https://github.com/oroinc/platform/security/advisories/GHSA-qv7g-j98v-8pp7Third Party Advisory
- https://github.com/oroinc/platform/commit/2a089c971fc70bc63baf8770d29ee515ce5a41PatchThird Party Advisory
- https://github.com/oroinc/platform/security/advisories/GHSA-qv7g-j98v-8pp7Third Party Advisory
FAQ
What is CVE-2021-41236?
CVE-2021-41236 is a vulnerability with a CVSS score of 6.9 (MEDIUM). OroPlatform is a PHP Business Application Platform. In affected versions the email template preview is vulnerable to XSS payload added to email template content. An attacker must have permission to cr...
How severe is CVE-2021-41236?
CVE-2021-41236 has been rated MEDIUM with a CVSS base score of 6.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-41236?
Check the references section above for vendor advisories and patch information. Affected products include: Oroinc Oroplatform.