CVE-2021-29663 - Vulnerability Details - OpenCVE

CourseMS (aka Course Registration Management System) 2.1 is affected by cross-site scripting (XSS). When an attacker with access to an Admin account creates a Job Title in the Site area (aka the admin/add_jobs.php name parameter), they can insert an XSS payload. This payload will execute whenever anyone visits the registration page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Course Registration Management System Project	Course Registration Management System

Configuration 1 [-]

cpe:2.3:a:course_registration_management_system_project:course_registration_management_system:2.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://sourceforge.net/projects/coursems
https://github.com/cptsticky/A-0day-Per-Day-Keeps-The-Cope-Away/blob/main/CVE-2021-29663

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-31T19:03:37

Updated: 2024-08-03T22:11:06.362Z

Reserved: 2021-03-31T00:00:00

Link: CVE-2021-29663

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-03-31T20:15:14.207

Modified: 2024-11-21T06:01:36.440

Link: CVE-2021-29663

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "CourseMS (aka Course Registration Management System) 2.1 is affected by cross-site scripting (XSS). When an attacker with access to an Admin account creates a Job Title in the Site area (aka the admin/add_jobs.php name parameter), they can insert an XSS payload. This payload will execute whenever anyone visits the registration page."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-31T19:03:37", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://sourceforge.net/projects/coursems"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/cptsticky/A-0day-Per-Day-Keeps-The-Cope-Away/blob/main/CVE-2021-29663"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-29663", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CourseMS (aka Course Registration Management System) 2.1 is affected by cross-site scripting (XSS). When an attacker with access to an Admin account creates a Job Title in the Site area (aka the admin/add_jobs.php name parameter), they can insert an XSS payload. This payload will execute whenever anyone visits the registration page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://sourceforge.net/projects/coursems", "refsource": "MISC", "url": "http://sourceforge.net/projects/coursems"}, {"name": "https://github.com/cptsticky/A-0day-Per-Day-Keeps-The-Cope-Away/blob/main/CVE-2021-29663", "refsource": "MISC", "url": "https://github.com/cptsticky/A-0day-Per-Day-Keeps-The-Cope-Away/blob/main/CVE-2021-29663"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:11:06.362Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://sourceforge.net/projects/coursems"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cptsticky/A-0day-Per-Day-Keeps-The-Cope-Away/blob/main/CVE-2021-29663"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-29663", "datePublished": "2021-03-31T19:03:37", "dateReserved": "2021-03-31T00:00:00", "dateUpdated": "2024-08-03T22:11:06.362Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:course_registration_management_system_project:course_registration_management_system:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "EFFF9DB8-313C-4AE0-9E8B-7A69968E3670", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CourseMS (aka Course Registration Management System) 2.1 is affected by cross-site scripting (XSS). When an attacker with access to an Admin account creates a Job Title in the Site area (aka the admin/add_jobs.php name parameter), they can insert an XSS payload. This payload will execute whenever anyone visits the registration page."}, {"lang": "es", "value": "CourseMS (tambi\u00e9n se conoce como Course Registration Management System) versi\u00f3n 2.1 est\u00e1 afectado por un cross-site scripting (XSS). Cuando un atacante con acceso a una cuenta de administrador crea un puesto de trabajo en el \u00e1rea del Site (tambi\u00e9n se conoce como el par\u00e1metro name del archivo admin/add_jobs.php), puede insertar una carga \u00fatil XSS. Esta carga \u00fatil se ejecutar\u00e1 cada vez que alguien visite la p\u00e1gina de registro."}], "id": "CVE-2021-29663", "lastModified": "2024-11-21T06:01:36.440", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-31T20:15:14.207", "references": [{"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "http://sourceforge.net/projects/coursems"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/cptsticky/A-0day-Per-Day-Keeps-The-Cope-Away/blob/main/CVE-2021-29663"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Third Party Advisory"], "url": "http://sourceforge.net/projects/coursems"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/cptsticky/A-0day-Per-Day-Keeps-The-Cope-Away/blob/main/CVE-2021-29663"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}