QwikSec

Security Database

CVE

CWE

Training

CVE-2021-21319

Published: Oct 25, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

6.8

MEDIUM

Description

Galette is a membership management web application geared towards non profit organizations. In versions prior to 0.9.5, malicious javascript code can be stored to be displayed later on self subscription page. The self subscription feature can be disabled as a workaround (this is the default state). Malicious javascript code can be executed (not stored) on login and retrieve password pages. This issue is patched in version 0.9.5.

Vendor	Product	Versions
galette	galette	affected `< 0.9.5`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/galette/galette/security/advisories/GHSA-vjc9-mj44-x59q

x_refsource_CONFIRM

https://github.com/galette/galette/commit/514418da973ae5b84bf97f94bd288a41e8e3f0a6

x_refsource_MISC

https://github.com/galette/galette/commit/8f3bdd9f7d0708466e011253064a867ca2b271a5

x_refsource_MISC

https://github.com/galette/galette/commit/f54b2570615d38d0302e937079233e52c2d80995

x_refsource_MISC

https://bugs.galette.eu/issues/1535

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.