CVE-2021-47725

Summary

STVS ProVision 5.9.10 contains a cross-site scripting vulnerability in the 'files' POST parameter that allows authenticated attackers to inject arbitrary HTML code. Attackers can exploit the unvalidated input to execute malicious scripts within a user's browser session in the context of the affected site.

Affected Software

VendorProductVersion RangeStatus
STVS SASTVS ProVision5.9.10affected
STVS SASTVS ProVision5.9.9affected
STVS SASTVS ProVision5.9.7affected
STVS SASTVS ProVision5.9.1affected
STVS SASTVS ProVision5.9.0affected
STVS SASTVS ProVision5.8.6affected
STVS SASTVS ProVision5.7affected
STVS SASTVS ProVision5.6affected
STVS SASTVS ProVision5.5affected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References