CVE Vulnerability

CVE-2021-21319

Galette is a membership management web application geared towards non profit organizations. In versions prior to 0.9.5, malicious javascript code can be stored to be displayed later on self subscription page. The self subscription feature can be disabled as a workaround (this is the default state). Malicious javascript code can be executed (not stored) on login and retrieve password pages. This issue is patched in version 0.9.5.

3.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

5.4 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/galette/galette/security/advisories/GHSA-vjc9-mj44-x59q Third Party Advisory
https://bugs.galette.eu/issues/1535 Permissions Required Vendor Advisory
https://github.com/galette/galette/commit/514418da973ae5b84bf97f94bd288a41e8e3f0a6 Patch Third Party Advisory
https://github.com/galette/galette/commit/8f3bdd9f7d0708466e011253064a867ca2b271a5 Patch Third Party Advisory
https://github.com/galette/galette/commit/f54b2570615d38d0302e937079233e52c2d80995 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:galette:galette:*:*:*:*:*:*:*:*
Information

Published : 2021-10-25 04:15

Updated : 2021-10-28 01:12

NVD link : CVE-2021-21319

Mitre link : CVE-2021-21319

Products Affected
No products.
CWE
CWE-79