Vulnerability-Lookup

CNVD-2021-11067

Vulnerability from cnvd - Published: 2021-02-20

Title

Oscar Arzola PressBooks跨站脚本漏洞

Description

Oscar Arzola PressBooks是中国Oscar Arzolat个人开发者的一个应用系统。提供一种图书内容管理系统。 PressBooks在5.17.3版本中存在跨站脚本漏洞。该漏洞可通过向平台提交长的书本描述来引发存储型XSS漏洞，目前没有详细的漏洞细节提供。

Severity

中

Patch Name

Oscar Arzola PressBooks跨站脚本漏洞的补丁

Patch Description

Oscar Arzola PressBooks是中国Oscar Arzolat个人开发者的一个应用系统。提供一种图书内容管理系统。 PressBooks在5.17.3版本中存在跨站脚本漏洞。该漏洞可通过向平台提交长的书本描述来引发存储型XSS漏洞，目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/pressbooks/pressbooks/pull/2072

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-3271

Impacted products

Name
Oscar Arzolat PressBooks 5.17.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-3271",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-3271"
    }
  },
  "description": "Oscar Arzola PressBooks\u662f\u4e2d\u56fdOscar Arzolat\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u4e2a\u5e94\u7528\u7cfb\u7edf\u3002\u63d0\u4f9b\u4e00\u79cd\u56fe\u4e66\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\n\nPressBooks\u57285.17.3\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u53ef\u901a\u8fc7\u5411\u5e73\u53f0\u63d0\u4ea4\u957f\u7684\u4e66\u672c\u63cf\u8ff0\u6765\u5f15\u53d1\u5b58\u50a8\u578bXSS\u6f0f\u6d1e\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/pressbooks/pressbooks/pull/2072",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-11067",
  "openTime": "2021-02-20",
  "patchDescription": "Oscar Arzola PressBooks\u662f\u4e2d\u56fdOscar Arzolat\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u4e2a\u5e94\u7528\u7cfb\u7edf\u3002\u63d0\u4f9b\u4e00\u79cd\u56fe\u4e66\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nPressBooks\u57285.17.3\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u53ef\u901a\u8fc7\u5411\u5e73\u53f0\u63d0\u4ea4\u957f\u7684\u4e66\u672c\u63cf\u8ff0\u6765\u5f15\u53d1\u5b58\u50a8\u578bXSS\u6f0f\u6d1e\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Oscar Arzola PressBooks\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Oscar Arzolat PressBooks 5.17.3"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-3271",
  "serverity": "\u4e2d",
  "submitTime": "2021-02-20",
  "title": "Oscar Arzola PressBooks\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2021-3271 (GCVE-0-2021-3271)

Vulnerability from cvelistv5 – Published: 2021-01-22 17:08 – Updated: 2024-08-03 16:53

Summary

PressBooks 5.17.3 contains a cross-site scripting (XSS). Stored XSS can be submitted via the Book Info's Long Description Body, and all actions to open or preview the books page will result in the triggering the stored XSS.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/pressbooks/pressbooks/pull/2072	x_refsource_MISC
	https://github.com/pressbooks/pressbooks	x_refsource_MISC
	https://www.gosecure.net/blog/2021/02/16/cve-2021…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:53:16.443Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/pressbooks/pressbooks/pull/2072"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/pressbooks/pressbooks"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.gosecure.net/blog/2021/02/16/cve-2021-3271-pressbooks-stored-cross-site-scripting-proof-of-concept/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PressBooks 5.17.3 contains a cross-site scripting (XSS). Stored XSS can be submitted via the Book Info\u0027s Long Description Body, and all actions to open or preview the books page will result in the triggering the stored XSS."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-18T18:55:32",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pressbooks/pressbooks/pull/2072"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pressbooks/pressbooks"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.gosecure.net/blog/2021/02/16/cve-2021-3271-pressbooks-stored-cross-site-scripting-proof-of-concept/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-3271",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "PressBooks 5.17.3 contains a cross-site scripting (XSS). Stored XSS can be submitted via the Book Info\u0027s Long Description Body, and all actions to open or preview the books page will result in the triggering the stored XSS."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/pressbooks/pressbooks/pull/2072",
              "refsource": "MISC",
              "url": "https://github.com/pressbooks/pressbooks/pull/2072"
            },
            {
              "name": "https://github.com/pressbooks/pressbooks",
              "refsource": "MISC",
              "url": "https://github.com/pressbooks/pressbooks"
            },
            {
              "name": "https://www.gosecure.net/blog/2021/02/16/cve-2021-3271-pressbooks-stored-cross-site-scripting-proof-of-concept/",
              "refsource": "MISC",
              "url": "https://www.gosecure.net/blog/2021/02/16/cve-2021-3271-pressbooks-stored-cross-site-scripting-proof-of-concept/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-3271",
    "datePublished": "2021-01-22T17:08:20",
    "dateReserved": "2021-01-22T00:00:00",
    "dateUpdated": "2024-08-03T16:53:16.443Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-11067

CVE-2021-3271 (GCVE-0-2021-3271)

Tags

Sightings

Nomenclature