// For flags

CVE-2021-25983

FactorJS - Reflected Cross-Site Scripting (XSS) in Tags and Categories Functionality

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In Factor (App Framework & Headless CMS) forum plugin, versions v1.3.8 to v1.8.30, are vulnerable to reflected Cross-Site Scripting (XSS) at the “tags” and “category” parameters in the URL. An unauthenticated attacker can execute malicious JavaScript code and steal the session cookies.

En Factor (App Framework & Headless CMS) forum plugin, versiones v1.3.8 a v1.8.30, son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) reflejado en los parámetros "tags" y "category" de la URL. Un atacante no autenticado puede ejecutar código JavaScript malicioso y robar las cookies de sesión

*Credits: WhiteSource Vulnerability Research Team (WVR)
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-01-22 CVE Reserved
  • 2021-11-16 CVE Published
  • 2024-08-01 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Darwin
Search vendor "Darwin"
 Factor
Search vendor "Darwin" for product "Factor"
 >= 1.3.8 <= 1.8.30
Search vendor "Darwin" for product "Factor" and version " >= 1.3.8 <= 1.8.30"
node.js
Affected