CVE-2021-42078

{"id": "CVE-2021-42078", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2021-11-08T05:15:07.553", "references": [{"url": "http://seclists.org/fulldisclosure/2021/Nov/24", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-049.txt", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "PHP Event Calendar through 2021-11-04 allows persistent cross-site scripting (XSS), as demonstrated by the /server/ajax/events_manager.php title parameter. This can be exploited by an adversary in multiple ways, e.g., to perform actions on the page in the context of other users, or to deface the site."}, {"lang": "es", "value": "PHP Event Calendar versiones hasta el 04-11-2021 permite un ataque de tipo cross-site scripting (XSS) persistente, como es demostrado por el par\u00e1metro de t\u00edtulo /server/ajax/events_manager.php. Esto puede ser explotado por un adversario de m\u00faltiples maneras, por ejemplo, para llevar a cabo acciones en la p\u00e1gina en el contexto de otros usuarios, o para desfigurar el sitio"}], "lastModified": "2021-11-09T22:07:50.933", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:php_event_calendar_project:php_event_calendar:2021-11-04:*:*:*:lite:*:*:*", "vulnerable": true, "matchCriteriaId": "80C22DF8-3F0C-4AC8-9D45-CC5A2155218C"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}