CVE-2021-38143 Information

Description

An issue was discovered in Form Tools through 3.0.20. When an administrator creates a customer account it is possible for the customer to log in and proceed with a change of name and last name. However these fields are vulnerable to XSS payload insertion being triggered in the admin panel when the admin tries to see the client list. This type of XSS (stored) can lead to the extraction of the PHPSESSID cookie belonging to the admin.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://bernardofsr.github.io/blog/2021/form-tools/ https://github.com/formtools/core https://www.formtools.org/ https://github.com/bernardofsr/CVEs-With-PoC/blob/main/PoCs/Form%20Tools/README.md

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1