nvd-json-data-feeds/CVE-2021/CVE-2021-212xx/CVE-2021-21283.json

{
  "id": "CVE-2021-21283",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2021-01-26T21:15:12.767",
  "lastModified": "2021-02-04T14:48:31.093",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "Flarum is an open source discussion platform for websites. The \"Flarum Sticky\" extension versions 0.1.0-beta.14 and 0.1.0-beta.15 has a cross-site scripting vulnerability. A change in release beta 14 of the Sticky extension caused the plain text content of the first post of a pinned discussion to be injected as HTML on the discussion list. The issue was discovered following an internal audit. Any HTML would be injected through the m.trust() helper. This resulted in an HTML injection where <script> tags would not be executed. However it was possible to run javascript from other HTML attributes, enabling a cross-site scripting (XSS) attack to be performed. Since the exploit only happens with the first post of a pinned discussion, an attacker would need the ability to pin their own discussion, or be able to edit a discussion that was previously pinned. On forums where all pinned posts are authored by your staff, you can be relatively certain the vulnerability has not been exploited. Forums where some user-created discussions were pinned can look at the first post edit date to find whether the vulnerability might have been exploited. Because Flarum doesn't store the post content history, you cannot be certain if a malicious edit was reverted. The fix will be available in version v0.1.0-beta.16 with Flarum beta 16. The fix has already been back-ported to Flarum beta 15 as version v0.1.0-beta.15.1 of the Sticky extension. Forum administrators can disable the Sticky extension until they are able to apply the update. The vulnerability cannot be exploited while the extension is disabled."
    },
    {
      "lang": "es",
      "value": "Flarum es una plataforma de discusi\u00f3n de c\u00f3digo abierto para sitios web. Las versiones 0.1.0-beta.14 y 0.1.0-beta.15 de la extensi\u00f3n \"Flarum Sticky\" tienen una vulnerabilidad de tipo cross-site scripting. Un cambio en la versi\u00f3n beta 14 de la extensi\u00f3n Sticky caus\u00f3 que el contenido de texto plano de la primera publicaci\u00f3n de una discusi\u00f3n fijada se inyectara como HTML en la lista de discusi\u00f3n. El problema se detect\u00f3 tras una auditor\u00eda interna. Cualquier HTML se inyectar\u00eda por medio del asistente m.trust(). Esto result\u00f3 en una inyecci\u00f3n de HTML donde las etiquetas (script) no se ejecutar\u00edan. Sin embargo, era posible ejecutar javascript desde otros atributos HTML, lo que permit\u00eda realizar un ataque de tipo cross-site scripting (XSS). Dado que la explotaci\u00f3n solo ocurre con la primera publicaci\u00f3n de una discusi\u00f3n fijada, un atacante necesitar\u00eda la capacidad de fijar su propia discusi\u00f3n o poder editar una discusi\u00f3n que haya sido fijada previamente. En los foros donde todas las publicaciones fijadas son creadas por su personal, puede estar relativamente seguro de que la vulnerabilidad no ha sido explotada. Los foros en los que se fijaron algunas discusiones creadas por usuarios pueden consultar la fecha de edici\u00f3n de la primera publicaci\u00f3n para averiguar si la vulnerabilidad podr\u00eda haberse explotado. Debido a que Flarum no almacena el historial de contenido de la publicaci\u00f3n, no puede estar seguro de si se reverti\u00f3 una edici\u00f3n maliciosa. La correcci\u00f3n estar\u00e1 disponible en la versi\u00f3n v0.1.0-beta.16 con Flarum beta 16. La correcci\u00f3n ya se ha actualizado a Flarum beta 15 como la versi\u00f3n v0.1.0-beta.15.1 de la extensi\u00f3n Sticky. Los administradores del foro pueden deshabilitar la extensi\u00f3n Sticky hasta que puedan aplicar la actualizaci\u00f3n. La vulnerabilidad no puede ser explotada mientras la extensi\u00f3n est\u00e9 desactivada"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7
      },
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "SINGLE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE",
          "baseScore": 3.5
        },
        "baseSeverity": "LOW",
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": true
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:flarum:sticky:0.1.0:beta14:*:*:*:*:*:*",
              "matchCriteriaId": "39236B26-127F-4C5C-A5D5-9E1730245739"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:flarum:sticky:0.1.0:beta15:*:*:*:*:*:*",
              "matchCriteriaId": "9D6DFA2A-DE79-40DF-8276-AA4F19D511B4"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://discuss.flarum.org/d/26042-security-update-to-flarum-sticky-010-beta151)",
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ]
    },
    {
      "url": "https://github.com/flarum/sticky/commit/7ebd30462bd405c4c0570b93a6d48710e6c3db19",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/flarum/sticky/pull/24",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/flarum/sticky/security/advisories/GHSA-h3gg-7wx2-cq3h",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    }
  ]
}