CVE-2021-32812 Information

Description

Monkshu is an enterprise application server for mobile apps (iOS and Android) responsive HTML 5 apps and JSON API services. In version 2.90 and earlier there is a reflected cross-site scripting vulnerability in frontend HTTP server. The attacker can send in a carefully crafted URL along with a known bug in the server which will cause a 500 error and the response will then embed the URL provided by the hacker. The impact is moderate as the hacker must also be able to craft an HTTP request which should cause a 500 server error. None such requests are known as this point. The issue is patched in version 2.95. As a workaround one may use a disk caching plugin.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/TekMonksGitHub/monkshu/security/advisories/GHSA-hcpx-66hq-7g4x https://github.com/TekMonksGitHub/monkshu/commit/4601a9bfdc934d7ac32619ce621652fad0cf452b https://github.com/TekMonksGitHub/monkshu/releases/tag/v2.95

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1