CVE-2021-3536

wildfly: XSS via admin console when creating roles in domain mode

Severity Score

4.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.

Se encontró un fallo en Wildfly en versiones anteriores a 23.0.2.Final, mientras se crea un nuevo rol en el modo de dominio por medio de la consola de administración, es posible agregar una carga útil en el campo name, conllevando a una vulnerabilidad de tipo XSS. Esto afecta la Confidencialidad y la Integridad

A flaw was found in Wildfly. While creating a new role in the domain mode via the admin console, it is possible to add a payload in the name field, leading to a Cross-site scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-05 CVE Reserved
2021-05-20 CVE Published
2023-03-08 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=1948001	2021-05-26
https://access.redhat.com/security/cve/CVE-2021-3536	2021-12-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Build Of Quarkus Search vendor "Redhat" for product "Build Of Quarkus"				-		-		Affected
Redhat Search vendor "Redhat"		Data Grid Search vendor "Redhat" for product "Data Grid"				8.0 Search vendor "Redhat" for product "Data Grid" and version "8.0"		-		Affected
Redhat Search vendor "Redhat"		Descision Manager Search vendor "Redhat" for product "Descision Manager"				7.0 Search vendor "Redhat" for product "Descision Manager" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Integration Camel K Search vendor "Redhat" for product "Integration Camel K"				-		-		Affected
Redhat Search vendor "Redhat"		Integration Camel Quarkus Search vendor "Redhat" for product "Integration Camel Quarkus"				-		-		Affected
Redhat Search vendor "Redhat"		Integration Service Registry Search vendor "Redhat" for product "Integration Service Registry"				-		-		Affected
Redhat Search vendor "Redhat"		Jboss A-mq Search vendor "Redhat" for product "Jboss A-mq"				7 Search vendor "Redhat" for product "Jboss A-mq" and version "7"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				7.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Wildfly Search vendor "Redhat" for product "Wildfly"				< 23.0.2 Search vendor "Redhat" for product "Wildfly" and version " < 23.0.2"		-		Affected