Vulnerability-Lookup

CNVD-2022-70070

Vulnerability from cnvd - Published: 2022-10-21

Title

ifme notifications section跨站脚本漏洞

Description

Ifme是开源的一个心理健康体验社区，鼓励人们与可信赖的盟友分享他们的个人故事。 Ifme在v1.0.0至v7.31.4版本中存在跨站脚本漏洞，该漏洞源于notifications section缺少对用户提供的数据和输出的数据校验过滤。攻击者可通过向管理员发送盟友请求引发该漏洞执行JavaScript代码。

Severity

低

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-25988

Impacted products

Name
Ifme Ifme >=v1.0.0，<=v7.31.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-25988",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-25988"
    }
  },
  "description": "Ifme\u662f\u5f00\u6e90\u7684\u4e00\u4e2a\u5fc3\u7406\u5065\u5eb7\u4f53\u9a8c\u793e\u533a\uff0c\u9f13\u52b1\u4eba\u4eec\u4e0e\u53ef\u4fe1\u8d56\u7684\u76df\u53cb\u5206\u4eab\u4ed6\u4eec\u7684\u4e2a\u4eba\u6545\u4e8b\u3002\n\nIfme\u5728v1.0.0\u81f3v7.31.4\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8enotifications section\u7f3a\u5c11\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\u548c\u8f93\u51fa\u7684\u6570\u636e\u6821\u9a8c\u8fc7\u6ee4\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411\u7ba1\u7406\u5458\u53d1\u9001\u76df\u53cb\u8bf7\u6c42\u5f15\u53d1\u8be5\u6f0f\u6d1e\u6267\u884cJavaScript\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-70070",
  "openTime": "2022-10-21",
  "products": {
    "product": "Ifme Ifme \u003e=v1.0.0\uff0c\u003c=v7.31.4"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-25988",
  "serverity": "\u4f4e",
  "submitTime": "2021-12-30",
  "title": "ifme notifications section\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2021-25988 (GCVE-0-2021-25988)

Vulnerability from cvelistv5 – Published: 2021-12-29 09:10 – Updated: 2025-04-30 15:44

Title

ifme - Stored Cross-Site Scripting (XSS) in Notifications section

Summary

In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Cross-site Scripting (XSS)

Assigner

Mend

References

2 references

URL	Tags
https://github.com/ifmeorg/ifme/commit/720a47015e…	x_refsource_MISC
https://www.whitesourcesoftware.com/vulnerability…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
ifmeorg	ifme	Affected: 1.0.0 , < unspecified (custom) Affected: unspecified , ≤ v7.31.4 (custom)

Date Public ?

2021-12-26 00:00

Credits

WhiteSource Vulnerability Research Team (WVR)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T20:19:19.487Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-25988",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-30T15:27:33.691663Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-30T15:44:07.124Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ifme",
          "vendor": "ifmeorg",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "v7.31.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "WhiteSource Vulnerability Research Team (WVR)"
        }
      ],
      "datePublic": "2021-12-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-29T09:10:14.000Z",
        "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "shortName": "Mend"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update version to v7.32 or later"
        }
      ],
      "source": {
        "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
        "discovery": "UNKNOWN"
      },
      "title": "ifme - Stored Cross-Site Scripting (XSS) in Notifications section",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
          "DATE_PUBLIC": "2021-12-26T16:07:00.000Z",
          "ID": "CVE-2021-25988",
          "STATE": "PUBLIC",
          "TITLE": "ifme - Stored Cross-Site Scripting (XSS) in Notifications section"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ifme",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "1.0.0"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "v7.31.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ifmeorg"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "WhiteSource Vulnerability Research Team (WVR)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c",
              "refsource": "MISC",
              "url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c"
            },
            {
              "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988",
              "refsource": "MISC",
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update version to v7.32 or later"
          }
        ],
        "source": {
          "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
    "assignerShortName": "Mend",
    "cveId": "CVE-2021-25988",
    "datePublished": "2021-12-29T09:10:14.710Z",
    "dateReserved": "2021-01-22T00:00:00.000Z",
    "dateUpdated": "2025-04-30T15:44:07.124Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-70070

CVE-2021-25988 (GCVE-0-2021-25988)

Tags

Sightings

Nomenclature