CVE-2021-25974 - Vulnerability Details - OpenCVE

In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Publify Project	Publify

Configuration 1 [-]

cpe:2.3:a:publify_project:publify:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/publify/publify/commit/fefd5f76302adcc425b2b6e7e7d23587cfc0083e
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974

History

Wed, 30 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Mend

Published: 2021-11-10T11:10:12.000Z

Updated: 2025-04-30T15:52:28.933Z

Reserved: 2021-01-22T00:00:00.000Z

Link: CVE-2021-25974

Vulnrichment

Updated: 2024-08-03T20:19:19.446Z

NVD

Status : Modified

Published: 2021-11-10T11:15:07.573

Modified: 2024-11-21T05:55:42.667

Link: CVE-2021-25974

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "publify_core", "vendor": "publify_core", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "v8.0", "versionType": "custom"}, {"lessThanOrEqual": "v9.2.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a \u201cpublisher\u201d role is able to inject and execute arbitrary JavaScript code while creating a page/article."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-10T11:10:11.000Z", "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/publify/publify/commit/fefd5f76302adcc425b2b6e7e7d23587cfc0083e"}, {"tags": ["x_refsource_MISC"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974"}], "solutions": [{"lang": "en", "value": "Update to v9.2.5"}], "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}, "title": "Publify - Stored Cross-Site Scripting (XSS) in Editor", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "ID": "CVE-2021-25974", "STATE": "PUBLIC", "TITLE": "Publify - Stored Cross-Site Scripting (XSS) in Editor"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "publify_core", "version": {"version_data": [{"version_affected": ">=", "version_value": "v8.0"}, {"version_affected": "<=", "version_value": "v9.2.4"}]}}]}, "vendor_name": "publify_core"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a \u201cpublisher\u201d role is able to inject and execute arbitrary JavaScript code while creating a page/article."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/publify/publify/commit/fefd5f76302adcc425b2b6e7e7d23587cfc0083e", "refsource": "MISC", "url": "https://github.com/publify/publify/commit/fefd5f76302adcc425b2b6e7e7d23587cfc0083e"}, {"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974", "refsource": "MISC", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974"}]}, "solution": [{"lang": "en", "value": "Update to v9.2.5"}], "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:19:19.446Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/publify/publify/commit/fefd5f76302adcc425b2b6e7e7d23587cfc0083e"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-30T15:49:01.432192Z", "id": "CVE-2021-25974", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-30T15:52:28.933Z"}}]}, "cveMetadata": {"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "cveId": "CVE-2021-25974", "datePublished": "2021-11-10T11:10:12.000Z", "dateReserved": "2021-01-22T00:00:00.000Z", "dateUpdated": "2025-04-30T15:52:28.933Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/publify/publify/commit/fefd5f76302adcc425b2b6e7e7d23587cfc0083e", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:19:19.446Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-25974", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-30T15:49:01.432192Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-30T15:51:25.772Z"}}], "cna": {"title": "Publify - Stored Cross-Site Scripting (XSS) in Editor", "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "publify_core", "product": "publify_core", "versions": [{"status": "affected", "version": "v8.0", "lessThan": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "v9.2.4"}]}], "solutions": [{"lang": "en", "value": "Update to v9.2.5"}], "references": [{"url": "https://github.com/publify/publify/commit/fefd5f76302adcc425b2b6e7e7d23587cfc0083e", "tags": ["x_refsource_MISC"]}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a \u201cpublisher\u201d role is able to inject and execute arbitrary JavaScript code while creating a page/article."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend", "dateUpdated": "2021-11-10T11:10:11.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "v8.0", "version_affected": ">="}, {"version_value": "v9.2.4", "version_affected": "<="}]}, "product_name": "publify_core"}]}, "vendor_name": "publify_core"}]}}, "solution": [{"lang": "en", "value": "Update to v9.2.5"}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://github.com/publify/publify/commit/fefd5f76302adcc425b2b6e7e7d23587cfc0083e", "name": "https://github.com/publify/publify/commit/fefd5f76302adcc425b2b6e7e7d23587cfc0083e", "refsource": "MISC"}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974", "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a \u201cpublisher\u201d role is able to inject and execute arbitrary JavaScript code while creating a page/article."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-25974", "STATE": "PUBLIC", "TITLE": "Publify - Stored Cross-Site Scripting (XSS) in Editor", "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com"}}}}, "cveMetadata": {"cveId": "CVE-2021-25974", "state": "PUBLISHED", "dateUpdated": "2025-04-30T15:52:28.933Z", "dateReserved": "2021-01-22T00:00:00.000Z", "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "datePublished": "2021-11-10T11:10:12.000Z", "assignerShortName": "Mend"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:publify_project:publify:*:*:*:*:*:*:*:*", "matchCriteriaId": "03BDB5FE-FAF3-4D40-B1D7-D0144A9E3612", "versionEndIncluding": "9.2.4", "versionStartIncluding": "8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a \u201cpublisher\u201d role is able to inject and execute arbitrary JavaScript code while creating a page/article."}, {"lang": "es", "value": "En Publify, versiones v8.0 a v9.2.4, son vulnerables a un ataque de tipo XSS almacenado. Un usuario con un rol \"publisher\" es capaz de inyectar y ejecutar c\u00f3digo JavaScript arbitrario mientras crea una p\u00e1gina/art\u00edculo"}], "id": "CVE-2021-25974", "lastModified": "2024-11-21T05:55:42.667", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "vulnerabilitylab@mend.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-10T11:15:07.573", "references": [{"source": "vulnerabilitylab@mend.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/publify/publify/commit/fefd5f76302adcc425b2b6e7e7d23587cfc0083e"}, {"source": "vulnerabilitylab@mend.io", "tags": ["Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/publify/publify/commit/fefd5f76302adcc425b2b6e7e7d23587cfc0083e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974"}], "sourceIdentifier": "vulnerabilitylab@mend.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "vulnerabilitylab@mend.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}