QwikSec

Security Database

CVE

CWE

Training

CVE-2021-47725

Published: Dec 31, 2025

Modified: Jan 2, 2026

PUBLISHED

CVSS v3.1

5.4

MEDIUM

Description

STVS ProVision 5.9.10 contains a cross-site scripting vulnerability in the 'files' POST parameter that allows authenticated attackers to inject arbitrary HTML code. Attackers can exploit the unvalidated input to execute malicious scripts within a user's browser session in the context of the affected site.

Vendor	Product	Versions
STVS SA	STVS ProVision	affected `5.9.10` affected `5.9.9` affected `5.9.7` affected `5.9.1` affected `5.9.0` +4 more versions

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

Zero Science Lab Disclosure (ZSL-2021-5624)

third-party-advisory

Packet Storm Security Exploit Entry

exploit

CXSecurity Vulnerability Listing

third-party-advisory

IBM X-Force Vulnerability Exchange

vdb-entry

Vendor Homepage

product

VulnCheck Advisory: STVS ProVision 5.9.10 Authenticated Reflected Cross-Site Scripting via Files Parameter

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.