CVE-2021-43853 - OpenCVE

Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ajax.net Professional Project	Ajax.net Professional

Configuration 1 [-]

cpe:2.3:a:ajax.net_professional_project:ajax.net_professional:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/michaelschwarz/Ajax.NET-Professional/commit/c89e39b9679fcb8ab6644fe21cc7e652cb615e2b
https://github.com/michaelschwarz/Ajax.NET-Professional/releases/tag/v21.12.22.1
https://github.com/michaelschwarz/Ajax.NET-Professional/security/advisories/GHSA-5q7q-qqw2-hjq7

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-12-22T20:55:09

Updated: 2024-08-04T04:10:16.314Z

Reserved: 2021-11-16T00:00:00

Link: CVE-2021-43853

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-12-22T21:15:07.527

Modified: 2022-08-09T13:28:25.660

Link: CVE-2021-43853

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Ajax.NET-Professional", "vendor": "michaelschwarz", "versions": [{"status": "affected", "version": "< 21.12.22.1"}]}], "descriptions": [{"lang": "en", "value": "Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-22T20:55:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/michaelschwarz/Ajax.NET-Professional/security/advisories/GHSA-5q7q-qqw2-hjq7"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/michaelschwarz/Ajax.NET-Professional/commit/c89e39b9679fcb8ab6644fe21cc7e652cb615e2b"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/michaelschwarz/Ajax.NET-Professional/releases/tag/v21.12.22.1"}], "source": {"advisory": "GHSA-5q7q-qqw2-hjq7", "discovery": "UNKNOWN"}, "title": "Cross-Site Scripting in AjaxNetProfessional", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-43853", "STATE": "PUBLIC", "TITLE": "Cross-Site Scripting in AjaxNetProfessional"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Ajax.NET-Professional", "version": {"version_data": [{"version_value": "< 21.12.22.1"}]}}]}, "vendor_name": "michaelschwarz"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/michaelschwarz/Ajax.NET-Professional/security/advisories/GHSA-5q7q-qqw2-hjq7", "refsource": "CONFIRM", "url": "https://github.com/michaelschwarz/Ajax.NET-Professional/security/advisories/GHSA-5q7q-qqw2-hjq7"}, {"name": "https://github.com/michaelschwarz/Ajax.NET-Professional/commit/c89e39b9679fcb8ab6644fe21cc7e652cb615e2b", "refsource": "MISC", "url": "https://github.com/michaelschwarz/Ajax.NET-Professional/commit/c89e39b9679fcb8ab6644fe21cc7e652cb615e2b"}, {"name": "https://github.com/michaelschwarz/Ajax.NET-Professional/releases/tag/v21.12.22.1", "refsource": "MISC", "url": "https://github.com/michaelschwarz/Ajax.NET-Professional/releases/tag/v21.12.22.1"}]}, "source": {"advisory": "GHSA-5q7q-qqw2-hjq7", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:10:16.314Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/michaelschwarz/Ajax.NET-Professional/security/advisories/GHSA-5q7q-qqw2-hjq7"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/michaelschwarz/Ajax.NET-Professional/commit/c89e39b9679fcb8ab6644fe21cc7e652cb615e2b"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/michaelschwarz/Ajax.NET-Professional/releases/tag/v21.12.22.1"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-43853", "datePublished": "2021-12-22T20:55:09", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2024-08-04T04:10:16.314Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ajax.net_professional_project:ajax.net_professional:*:*:*:*:*:*:*:*", "matchCriteriaId": "F73C43B4-EDD4-4772-B431-D66CCE27CBBF", "versionEndExcluding": "21.12.22.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details."}, {"lang": "es", "value": "Ajax.NET Professional (AjaxPro) es un framework AJAX disponible para Microsoft ASP.NET. Las versiones afectadas de este paquete son vulnerables a una inyecci\u00f3n de objetos de JavaScript, lo que puede resultar en una vulnerabilidad de tipo cross site scripting cuando es aprovechada por un usuario malicioso. El n\u00facleo afectado est\u00e1 relacionado con la creaci\u00f3n de objetos JavaScript cuando es analizada la entrada json. Las versiones anteriores a la 21.12.22.1 est\u00e1n afectadas. Se presenta una soluci\u00f3n que reemplaza uno de los archivos JavaScript del n\u00facleo insertado en la biblioteca. Consulte el documento GHSA-5q7q-qqw2-hjq7 para conocer los detalles de la soluci\u00f3n"}], "id": "CVE-2021-43853", "lastModified": "2022-08-09T13:28:25.660", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-12-22T21:15:07.527", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/michaelschwarz/Ajax.NET-Professional/commit/c89e39b9679fcb8ab6644fe21cc7e652cb615e2b"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/michaelschwarz/Ajax.NET-Professional/releases/tag/v21.12.22.1"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/michaelschwarz/Ajax.NET-Professional/security/advisories/GHSA-5q7q-qqw2-hjq7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}