### [CVE-2021-38295](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38295)
![](https://img.shields.io/static/v1?label=Product&message=Apache%20CouchDB&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=IBM%20Cloudant&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=Apache%20CouchDB%3C%203.1.2%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Version&message=IBM%20Cloudant%3C%208201%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Privilege%20escalation&color=brighgreen)

### Description

In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality. This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes. This issue affected Apache CouchDB prior to 3.1.2

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ProfessionallyEvil/CVE-2021-38295-PoC
- https://github.com/nomi-sec/PoC-in-GitHub