GSD-2021-43853
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-43853",
"description": "Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details.",
"id": "GSD-2021-43853"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-43853"
],
"details": "Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details.",
"id": "GSD-2021-43853",
"modified": "2023-12-13T01:23:26.225501Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43853",
"STATE": "PUBLIC",
"TITLE": "Cross-Site Scripting in AjaxNetProfessional"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Ajax.NET-Professional",
"version": {
"version_data": [
{
"version_value": "\u003c 21.12.22.1"
}
]
}
}
]
},
"vendor_name": "michaelschwarz"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/michaelschwarz/Ajax.NET-Professional/security/advisories/GHSA-5q7q-qqw2-hjq7",
"refsource": "CONFIRM",
"url": "https://github.com/michaelschwarz/Ajax.NET-Professional/security/advisories/GHSA-5q7q-qqw2-hjq7"
},
{
"name": "https://github.com/michaelschwarz/Ajax.NET-Professional/commit/c89e39b9679fcb8ab6644fe21cc7e652cb615e2b",
"refsource": "MISC",
"url": "https://github.com/michaelschwarz/Ajax.NET-Professional/commit/c89e39b9679fcb8ab6644fe21cc7e652cb615e2b"
},
{
"name": "https://github.com/michaelschwarz/Ajax.NET-Professional/releases/tag/v21.12.22.1",
"refsource": "MISC",
"url": "https://github.com/michaelschwarz/Ajax.NET-Professional/releases/tag/v21.12.22.1"
}
]
},
"source": {
"advisory": "GHSA-5q7q-qqw2-hjq7",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,21.12.21.1]",
"affected_versions": "All versions up to 21.12.21.1",
"cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-707",
"CWE-79",
"CWE-937"
],
"date": "2022-01-06",
"description": "Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details.",
"fixed_versions": [
"21.12.22.1"
],
"identifier": "CVE-2021-43853",
"identifiers": [
"GHSA-5q7q-qqw2-hjq7",
"CVE-2021-43853"
],
"not_impacted": "All versions after 21.12.21.1",
"package_slug": "nuget/AjaxNetProfessional",
"pubdate": "2022-01-06",
"solution": "Upgrade to version 21.12.22.1 or above.",
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"urls": [
"https://github.com/michaelschwarz/Ajax.NET-Professional/security/advisories/GHSA-5q7q-qqw2-hjq7",
"https://nvd.nist.gov/vuln/detail/CVE-2021-43853",
"https://github.com/michaelschwarz/Ajax.NET-Professional/commit/c89e39b9679fcb8ab6644fe21cc7e652cb615e2b",
"https://github.com/michaelschwarz/Ajax.NET-Professional/releases/tag/v21.12.22.1",
"https://github.com/advisories/GHSA-5q7q-qqw2-hjq7"
],
"uuid": "d7029fb2-16c1-4e5f-8682-5e5e0d58da17"
},
{
"affected_range": "(,21.12.22.1)",
"affected_versions": "All versions before 21.12.22.1",
"cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-502",
"CWE-937"
],
"date": "2022-08-09",
"description": "Ajax.Releases are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details.",
"fixed_versions": [],
"identifier": "CVE-2021-43853",
"identifiers": [
"CVE-2021-43853",
"GHSA-5q7q-qqw2-hjq7"
],
"not_impacted": "",
"package_slug": "nuget/AjaxPro.2",
"pubdate": "2021-12-22",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-43853",
"https://github.com/michaelschwarz/Ajax.NET-Professional/security/advisories/GHSA-5q7q-qqw2-hjq7",
"https://github.com/michaelschwarz/Ajax.NET-Professional/commit/c89e39b9679fcb8ab6644fe21cc7e652cb615e2b",
"https://github.com/michaelschwarz/Ajax.NET-Professional/releases/tag/v21.12.22.1"
],
"uuid": "a7edd49a-14ca-4682-8f0b-f5e6e969c74a"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ajax.net_professional_project:ajax.net_professional:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "21.12.22.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43853"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/michaelschwarz/Ajax.NET-Professional/security/advisories/GHSA-5q7q-qqw2-hjq7",
"refsource": "CONFIRM",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/michaelschwarz/Ajax.NET-Professional/security/advisories/GHSA-5q7q-qqw2-hjq7"
},
{
"name": "https://github.com/michaelschwarz/Ajax.NET-Professional/commit/c89e39b9679fcb8ab6644fe21cc7e652cb615e2b",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/michaelschwarz/Ajax.NET-Professional/commit/c89e39b9679fcb8ab6644fe21cc7e652cb615e2b"
},
{
"name": "https://github.com/michaelschwarz/Ajax.NET-Professional/releases/tag/v21.12.22.1",
"refsource": "MISC",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/michaelschwarz/Ajax.NET-Professional/releases/tag/v21.12.22.1"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7
}
},
"lastModifiedDate": "2022-08-09T13:28Z",
"publishedDate": "2021-12-22T21:15Z"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…