CVE-2021-25990 - Vulnerability Details - OpenCVE

In “ifme”, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00206.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
If-me	Ifme

Configuration 1 [-]

cpe:2.3:a:if-me:ifme:*:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

Update version to v7.32 or later

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990

History

Wed, 30 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Mend

Published: 2021-12-29T09:10:17.689Z

Updated: 2025-04-30T15:43:55.017Z

Reserved: 2021-01-22T00:00:00.000Z

Link: CVE-2021-25990

Vulnrichment

Updated: 2024-08-03T20:19:19.260Z

NVD

Status : Modified

Published: 2021-12-29T09:15:09.363

Modified: 2024-11-21T05:55:44.830

Link: CVE-2021-25990

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "ifme", "vendor": "ifmeorg", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "v7.22.0", "versionType": "custom"}, {"lessThanOrEqual": "v7.31.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "WhiteSource Vulnerability Research Team (WVR)"}], "datePublic": "2021-12-27T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "In \u201cifme\u201d, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-29T09:10:17.000Z", "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc"}, {"tags": ["x_refsource_MISC"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990"}], "solutions": [{"lang": "en", "value": "Update version to v7.32 or later"}], "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}, "title": "ifme - Stored Cross-Site Scripting (XSS) in Contacts section", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "DATE_PUBLIC": "2021-12-27T08:22:00.000Z", "ID": "CVE-2021-25990", "STATE": "PUBLIC", "TITLE": "ifme - Stored Cross-Site Scripting (XSS) in Contacts section"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ifme", "version": {"version_data": [{"version_affected": ">=", "version_value": "v7.22.0"}, {"version_affected": "<=", "version_value": "v7.31.4"}]}}]}, "vendor_name": "ifmeorg"}]}}, "credit": [{"lang": "eng", "value": "WhiteSource Vulnerability Research Team (WVR)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In \u201cifme\u201d, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc", "refsource": "MISC", "url": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc"}, {"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990", "refsource": "MISC", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990"}]}, "solution": [{"lang": "en", "value": "Update version to v7.32 or later"}], "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:19:19.260Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-30T15:27:31.049019Z", "id": "CVE-2021-25990", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-30T15:43:55.017Z"}}]}, "cveMetadata": {"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "cveId": "CVE-2021-25990", "datePublished": "2021-12-29T09:10:17.689Z", "dateReserved": "2021-01-22T00:00:00.000Z", "dateUpdated": "2025-04-30T15:43:55.017Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:19:19.260Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-25990", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-30T15:27:31.049019Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-30T15:30:27.231Z"}}], "cna": {"title": "ifme - Stored Cross-Site Scripting (XSS) in Contacts section", "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "WhiteSource Vulnerability Research Team (WVR)"}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "ifmeorg", "product": "ifme", "versions": [{"status": "affected", "version": "v7.22.0", "lessThan": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "v7.31.4"}]}], "solutions": [{"lang": "en", "value": "Update version to v7.32 or later"}], "datePublic": "2021-12-27T00:00:00.000Z", "references": [{"url": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc", "tags": ["x_refsource_MISC"]}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "In \u201cifme\u201d, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend", "dateUpdated": "2021-12-29T09:10:17.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "WhiteSource Vulnerability Research Team (WVR)"}], "impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "v7.22.0", "version_affected": ">="}, {"version_value": "v7.31.4", "version_affected": "<="}]}, "product_name": "ifme"}]}, "vendor_name": "ifmeorg"}]}}, "solution": [{"lang": "en", "value": "Update version to v7.32 or later"}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc", "name": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc", "refsource": "MISC"}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990", "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "In \u201cifme\u201d, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-25990", "STATE": "PUBLIC", "TITLE": "ifme - Stored Cross-Site Scripting (XSS) in Contacts section", "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "DATE_PUBLIC": "2021-12-27T08:22:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2021-25990", "state": "PUBLISHED", "dateUpdated": "2025-04-30T15:43:55.017Z", "dateReserved": "2021-01-22T00:00:00.000Z", "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "datePublished": "2021-12-29T09:10:17.689Z", "assignerShortName": "Mend"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:if-me:ifme:*:*:*:*:*:*:*:*", "matchCriteriaId": "93CB4525-D288-47E6-8CB5-AD8C138ECD0F", "versionEndIncluding": "7.31.4", "versionStartIncluding": "7.22.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In \u201cifme\u201d, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe."}, {"lang": "es", "value": "En \"ifme\", versiones v7.22.0 a v7.31.4, son vulnerables contra un ataque de tipo XSS auto almacenado en el campo contacts, ya que permite cargar cargas \u00fatiles de tipo XSS obtenidas por medio de un iframe"}], "id": "CVE-2021-25990", "lastModified": "2024-11-21T05:55:44.830", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "vulnerabilitylab@mend.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-29T09:15:09.363", "references": [{"source": "vulnerabilitylab@mend.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc"}, {"source": "vulnerabilitylab@mend.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990"}], "sourceIdentifier": "vulnerabilitylab@mend.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "vulnerabilitylab@mend.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}