Skip to main content

Gila Cms CVE-2021-39486

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2021-10-04 cve@mitre.org
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 04, 2021 - 14:15 nvd
MEDIUM 5.4

DescriptionNVD

A Stored XSS via Malicious File Upload exists in Gila CMS version 2.2.0. An attacker can use this to steal cookies, passwords or to run arbitrary code on a victim's browser.

AnalysisAI

A Stored XSS via Malicious File Upload exists in Gila CMS version 2.2.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A Stored XSS via Malicious File Upload exists in Gila CMS version 2.2.0. An attacker can use this to steal cookies, passwords or to run arbitrary code on a victim's browser. Affected products include: Gilacms Gila Cms. Version information: version 2.2.0..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2020-5514 CRITICAL POC
9.1 Jan 06

Gila CMS 1.11.8 allows Unrestricted Upload of a File with a Dangerous Type via .phar or .phtml to the lzld/thumb?src= UR

CVE-2019-11456 HIGH POC
8.8 Apr 22

Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code. Rated high severity (CVSS 8.8), this vulnerability

CVE-2021-37777 HIGH POC
7.5 Oct 04

Gila CMS 2.2.0 is vulnerable to Insecure Direct Object Reference (IDOR). Rated high severity (CVSS 7.5), this vulnerabil

CVE-2020-28692 HIGH POC
7.2 Nov 16

In Gila CMS 1.16.0, an attacker can upload a shell to tmp directy and abuse .htaccess through the logs function for exec

CVE-2020-5515 HIGH POC
7.2 Jan 06

Gila CMS 1.11.8 allows /admin/sql?query= SQL Injection. Rated high severity (CVSS 7.2), this vulnerability is remotely e

CVE-2020-5513 MEDIUM POC
6.8 Jan 06

Gila CMS 1.11.8 allows /cm/delete?t=../ Directory Traversal. Rated medium severity (CVSS 6.8), this vulnerability is rem

CVE-2020-5512 MEDIUM POC
6.8 Jan 06

Gila CMS 1.11.8 allows /admin/media?path=../ Path Traversal. Rated medium severity (CVSS 6.8), this vulnerability is rem

CVE-2019-17535 MEDIUM POC
6.1 Oct 13

Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a

CVE-2019-9647 MEDIUM POC
6.1 Jun 05

Gila CMS 1.9.1 has XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication

CVE-2019-17536 MEDIUM POC
4.9 Oct 13

Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/c

CVE-2019-16679 MEDIUM POC
4.9 Sep 21

Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion. Rated medium severit

CVE-2019-11515 MEDIUM POC
4.9 Apr 25

core/classes/db_backup.php in Gila CMS 1.10.1 allows admin/db_backup?download= absolute path traversal to read arbitrary

Share

CVE-2021-39486 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy