Vulnerability Description
Lorensbergs Connect2 3.13.7647.20190 is affected by an XSS vulnerability. Exploitation requires administrator privileges and is performed through the Wizard editor of the application. The attack requires an administrator to go into the Wizard editor and enter an XSS payload within the Page title, Page Instructions, Text before, Text after, or Text on side box. Once this has been done, the administrator must click save and finally wait until any user of the application performs a booking for rental items in the booking area of the application, where the XSS triggers. NOTE: another perspective is that the administrator may require JavaScript to customize any aspect of the page rendering. There is no effective way for the product to defend users in the face of a malicious administrator
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lorensbergs | Connect2 | 3.13.7647.20190 |
Related Weaknesses (CWE)
References
- https://www.lorensbergs.co.uk/products/connect2-academic/ProductVendor Advisory
- https://www.surecloud.com/resources/blog/lorensbergs-connect2-cross-site-scriptiExploitThird Party Advisory
- https://www.lorensbergs.co.uk/products/connect2-academic/ProductVendor Advisory
- https://www.surecloud.com/resources/blog/lorensbergs-connect2-cross-site-scriptiExploitThird Party Advisory
FAQ
What is CVE-2021-43960?
CVE-2021-43960 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Lorensbergs Connect2 3.13.7647.20190 is affected by an XSS vulnerability. Exploitation requires administrator privileges and is performed through the Wizard editor of the application. The attack requi...
How severe is CVE-2021-43960?
CVE-2021-43960 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-43960?
Check the references section above for vendor advisories and patch information. Affected products include: Lorensbergs Connect2.