Vulnerability-Lookup

CNVD-2021-101181

Vulnerability from cnvd - Published: 2021-12-21

Title

ShinHer StudyOnline System跨站脚本漏洞

Description

ShinHer StudyOnline System是中国欣河（ShinHer）公司的一种校务系统。 ShinHer StudyOnline System存在跨站脚本漏洞，该漏洞源于ShinHer StudyOnline系统留言板的List Add功能不过滤标题参数中的特殊字符。攻击者可利用该漏洞使用用户权限登录后，可以注入JavaScript并执行存储的XSS攻击。

Severity

低

Patch Name

ShinHer StudyOnline System跨站脚本漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.twcert.org.tw/tw/cp-132-5199-61238-1.html

Reference

https://www.twcert.org.tw/tw/cp-132-5199-61238-1.html

Impacted products

Name
ShinHer StudyOnline System v2021

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-42329"
    }
  },
  "description": "ShinHer StudyOnline System\u662f\u4e2d\u56fd\u6b23\u6cb3\uff08ShinHer\uff09\u516c\u53f8\u7684\u4e00\u79cd\u6821\u52a1\u7cfb\u7edf\u3002\n\nShinHer StudyOnline System\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eShinHer StudyOnline\u7cfb\u7edf\u7559\u8a00\u677f\u7684List Add\u529f\u80fd\u4e0d\u8fc7\u6ee4\u6807\u9898\u53c2\u6570\u4e2d\u7684\u7279\u6b8a\u5b57\u7b26\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u7528\u7528\u6237\u6743\u9650\u767b\u5f55\u540e\uff0c\u53ef\u4ee5\u6ce8\u5165JavaScript\u5e76\u6267\u884c\u5b58\u50a8\u7684XSS\u653b\u51fb\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.twcert.org.tw/tw/cp-132-5199-61238-1.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-101181",
  "openTime": "2021-12-21",
  "patchDescription": "ShinHer StudyOnline System\u662f\u4e2d\u56fd\u6b23\u6cb3\uff08ShinHer\uff09\u516c\u53f8\u7684\u4e00\u79cd\u6821\u52a1\u7cfb\u7edf\u3002\r\n\r\nShinHer StudyOnline System\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eShinHer StudyOnline\u7cfb\u7edf\u7559\u8a00\u677f\u7684List Add\u529f\u80fd\u4e0d\u8fc7\u6ee4\u6807\u9898\u53c2\u6570\u4e2d\u7684\u7279\u6b8a\u5b57\u7b26\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u7528\u7528\u6237\u6743\u9650\u767b\u5f55\u540e\uff0c\u53ef\u4ee5\u6ce8\u5165JavaScript\u5e76\u6267\u884c\u5b58\u50a8\u7684XSS\u653b\u51fb\u3002 \u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "ShinHer StudyOnline System\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "ShinHer StudyOnline System v2021"
  },
  "referenceLink": "https://www.twcert.org.tw/tw/cp-132-5199-61238-1.html",
  "serverity": "\u4f4e",
  "submitTime": "2021-10-19",
  "title": "ShinHer StudyOnline System\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2021-42329 (GCVE-0-2021-42329)

Vulnerability from cvelistv5 – Published: 2021-10-15 12:10 – Updated: 2024-09-17 00:00

Title

ShinHer Information Co., LTD. ShinHer StudyOnline System - Stored XSS

Summary

The “List_Add” function of message board of ShinHer StudyOnline System does not filter special characters in the title parameter. After logging in with user’s privilege, remote attackers can inject JavaScript and execute stored XSS attacks.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Cross-site Scripting (XSS)

Assigner

twcert

References

URL

Tags

https://www.twcert.org.tw/tw/cp-132-5199-61238-1.html

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ShinHer Information Co., LTD.	ShinHer StudyOnline System	Affected: unspecified , ≤ 2021 (custom)

Date Public ?

2021-10-15 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:30:38.352Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.twcert.org.tw/tw/cp-132-5199-61238-1.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ShinHer StudyOnline System",
          "vendor": "ShinHer Information Co., LTD.",
          "versions": [
            {
              "lessThanOrEqual": "2021",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-10-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The \u201cList_Add\u201d function of message board of ShinHer StudyOnline System does not filter special characters in the title parameter. After logging in with user\u2019s privilege, remote attackers can inject JavaScript and execute stored XSS attacks."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-15T12:10:29.000Z",
        "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "shortName": "twcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.twcert.org.tw/tw/cp-132-5199-61238-1.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update ShinHer StudyOnline System to version v2021.08.20.01"
        }
      ],
      "source": {
        "advisory": "TVN-202110001",
        "discovery": "EXTERNAL"
      },
      "title": "ShinHer Information Co., LTD. ShinHer StudyOnline System - Stored XSS",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "TWCERT/CC",
          "ASSIGNER": "cve@cert.org.tw",
          "DATE_PUBLIC": "2021-10-15T11:38:00.000Z",
          "ID": "CVE-2021-42329",
          "STATE": "PUBLIC",
          "TITLE": "ShinHer Information Co., LTD. ShinHer StudyOnline System - Stored XSS"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ShinHer StudyOnline System",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2021"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ShinHer Information Co., LTD."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The \u201cList_Add\u201d function of message board of ShinHer StudyOnline System does not filter special characters in the title parameter. After logging in with user\u2019s privilege, remote attackers can inject JavaScript and execute stored XSS attacks."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.twcert.org.tw/tw/cp-132-5199-61238-1.html",
              "refsource": "MISC",
              "url": "https://www.twcert.org.tw/tw/cp-132-5199-61238-1.html"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update ShinHer StudyOnline System to version v2021.08.20.01"
          }
        ],
        "source": {
          "advisory": "TVN-202110001",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
    "assignerShortName": "twcert",
    "cveId": "CVE-2021-42329",
    "datePublished": "2021-10-15T12:10:29.738Z",
    "dateReserved": "2021-10-12T00:00:00.000Z",
    "dateUpdated": "2024-09-17T00:00:29.574Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-101181

CVE-2021-42329 (GCVE-0-2021-42329)

Tags

Sightings

Nomenclature