Build Of Quarkus
CVE-2021-3536
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.
AnalysisAI
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity. Affected products include: Redhat Build Of Quarkus, Redhat Data Grid, Redhat Descision Manager, Redhat Integration Camel K, Redhat Integration Camel Quarkus. Version information: before 23.0.2..
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Build Of Quarkus
View allA flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly whe
A vulnerability was found in quarkus. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no
A vulnerability was found in quarkus-core. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, l
A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write(). Rated high sev
A flaw was found in Quarkus. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authenticati
A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authenticat
A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authenticat
A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. Rated high severity (CVSS 7.4), this vulne
A flaw was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentic
If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated
A flaw was found in the Quarkus Cache Runtime. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploita
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today