CVE-2021-45224

{"id": "CVE-2021-45224", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2022-01-24T20:15:08.370", "references": [{"url": "https://appsource.microsoft.com/en-us/product/web-apps/constructionindustrysolutionslimited-5057232.coinsconstructioncloud?tab=overview", "tags": ["Patch", "Product", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-053.txt", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.syss.de/pentest-blog/multiple-schwachstellen-im-coins-construction-cloud-erp-syss-2021-028/-029/-030/-031/-051/-052/-053", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in COINS Construction Cloud 11.12. In several locations throughout the application, JavaScript code is passed as a URL parameter. Attackers can trivially alter this code to cause malicious behaviour. The application is therefore vulnerable to reflected XSS via malicious URLs."}, {"lang": "es", "value": "Se ha detectado un problema en COINS Construction Cloud versi\u00f3n 11.12. En varios lugares de la aplicaci\u00f3n, el c\u00f3digo JavaScript es pasado como par\u00e1metro de la URL. Los atacantes pueden alterar trivialmente este c\u00f3digo para causar un comportamiento malicioso. Por lo tanto, la aplicaci\u00f3n es vulnerable a un ataque de tipo XSS reflejado por medio de URLs maliciosas"}], "lastModified": "2023-10-18T17:24:52.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:coins-global:coins_construction_cloud:11.12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E220D9E-3B07-46DA-A9B6-534B47ACA65F"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}