Jetengine
CVE-2021-38607
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input.
AnalysisAI
Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input. Affected products include: Crocoblock Jetengine. Version information: before 2.6.1.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote
PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Co
Crocoblock JetEngine before 2.9.1 does not properly validate and sanitize form data. Rated critical severity (CVSS 9.8),
SQL injection in Crocoblock JetEngine (a WordPress plugin) through version 3.8.8.1 allows remote unauthenticated attacke
Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to
Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inj
Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote att
Crocoblock JetEngine versions below 3.8.4.1 are vulnerable to unsafe deserialization of untrusted data, enabling authent
Unauthenticated SQL injection in the JetEngine WordPress plugin versions up to 3.8.10.1 allows remote attackers to extra
Reflected or stored cross-site scripting in the JetEngine WordPress plugin (versions 3.8.10 and earlier) allows remote u
Unauthenticated cross-site scripting in the JetEngine WordPress plugin versions 3.8.10 and earlier allows remote attacke
Unauthenticated reflected/stored cross-site scripting in the JetEngine WordPress plugin (versions <= 3.8.9.1) allows rem
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today