Publify
CVE-2021-25975
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file.
AnalysisAI
In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file. Affected products include: Publify Project Publify.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Improper Input Validation in GitHub repository publify/publify prior to 9.2.10. Rated critical severity (CVSS 9.8), this
Code Injection in GitHub repository publify/publify prior to 9.2.8. Rated medium severity (CVSS 6.5), this vulnerability
Improper Access Control in GitHub repository publify/publify prior to 9.2.8. Rated medium severity (CVSS 6.5), this vuln
Unrestricted Upload of File with Dangerous Type in GitHub repository publify/publify prior to 9.2.9. Rated medium severi
Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to
Authorization Bypass Through User-Controlled Key in GitHub repository publify/publify prior to 9.2.9. Rated medium sever
Weak Password Requirements in GitHub repository publify/publify prior to 9.2.10. Rated medium severity (CVSS 6.5), this
In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. Rated medium severity (CVSS 6.5), this vulner
Publify is a self hosted Web publishing platform on Rails. Rated low severity (CVSS 1.8), this vulnerability is remotely
In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. Rated medium severity (CVSS 5.4), this vulnerability i
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today