CVE-2021-32542 - Vulnerability Details - OpenCVE

Description

The parameters of the specific functions in the CTS Web trading system do not filter special characters, which allows unauthenticated attackers can remotely perform reflected XSS and obtain the users’ connection token that triggered the attack.

Published: 2021-05-28

Score: 4.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SysJust

CTS Web

affected

Version	Status	Constraints
`unspecified`	affected	≤ released 2021.3.25

Configuration 1 [-]

cpe:2.3:a:sysjust:cts_web:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update CTS to version released after 2021.3.25

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2021-19388	The parameters of the specific functions in the CTS Web trading system do not filter special characters, which allows unauthenticated attackers can remotely perform reflected XSS and obtain the users’ connection token that triggered the attack.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00496.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344
https://www.twcert.org.tw/tw/cp-132-4758-82b05-1.html

History

No history.

Subscriptions

Sysjust Cts Web

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2021-05-28T08:10:27.711Z

Updated: 2024-09-16T19:05:10.400Z

Reserved: 2021-05-10T00:00:00.000Z

Link: CVE-2021-32542

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-05-28T08:15:07.093

Modified: 2024-11-21T06:07:13.990

Link: CVE-2021-32542

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"containers": {"cna": {"affected": [{"product": "CTS Web", "vendor": "SysJust", "versions": [{"lessThanOrEqual": "released 2021.3.25", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-05-28T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The parameters of the specific functions in the CTS Web trading system do not filter special characters, which allows unauthenticated attackers can remotely perform reflected XSS and obtain the users\u2019 connection token that triggered the attack."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-07-21T10:25:28.000Z", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-4758-82b05-1.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344"}], "solutions": [{"lang": "en", "value": "Update CTS to version released after 2021.3.25"}], "source": {"advisory": "TVN-202105004", "discovery": "EXTERNAL"}, "title": "SysJust CTS Web - Reflected XSS", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2021-05-28T07:56:00.000Z", "ID": "CVE-2021-32542", "STATE": "PUBLIC", "TITLE": "SysJust CTS Web - Reflected XSS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CTS Web", "version": {"version_data": [{"version_affected": "<=", "version_value": "released 2021.3.25"}]}}]}, "vendor_name": "SysJust"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The parameters of the specific functions in the CTS Web trading system do not filter special characters, which allows unauthenticated attackers can remotely perform reflected XSS and obtain the users\u2019 connection token that triggered the attack."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-4758-82b05-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-4758-82b05-1.html"}, {"name": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344", "refsource": "CONFIRM", "url": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344"}]}, "solution": [{"lang": "en", "value": "Update CTS to version released after 2021.3.25"}], "source": {"advisory": "TVN-202105004", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:25:29.799Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-4758-82b05-1.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344"}]}]}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2021-32542", "datePublished": "2021-05-28T08:10:27.711Z", "dateReserved": "2021-05-10T00:00:00.000Z", "dateUpdated": "2024-09-16T19:05:10.400Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sysjust:cts_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5DB6391-81C8-47A2-A1F2-1B127E1FFC7E", "versionEndExcluding": "2021.3.24", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The parameters of the specific functions in the CTS Web trading system do not filter special characters, which allows unauthenticated attackers can remotely perform reflected XSS and obtain the users\u2019 connection token that triggered the attack."}, {"lang": "es", "value": "Los par\u00e1metros de las funciones espec\u00edficas en el sistema de comercio web CTS no filtran los caracteres especiales, lo que permite a los atacantes no autenticados realizar XSS reflejado de forma remota y obtener el token de conexi\u00f3n de los usuarios que desencadena el ataque"}], "id": "CVE-2021-32542", "lastModified": "2024-11-21T06:07:13.990", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "twcert@cert.org.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-28T08:15:07.093", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-4758-82b05-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-4758-82b05-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "twcert@cert.org.tw", "type": "Secondary"}]}