CVE-2021-42856

Description

It was discovered that the /DsaDataTest endpoint is susceptible to Cross-site scripting (XSS) attack. It was noted that the Metric parameter does not have any input checks on the user input that allows an attacker to craft its own malicious payload to trigger a XSS vulnerability.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Affected products

Aternity / SteelCentral AppInternals Dynamic Sampling Agent10.x – 10.x
Aternity / SteelCentral AppInternals Dynamic Sampling Agent12.13.0 – 12.13.0
Aternity / SteelCentral AppInternals Dynamic Sampling Agent11.8.8 – 11.8.8

References

MISChttps://aternity.force.com/customersuccess/s/article/Reflected-Cross-site-Scripting-at-DsaDataTest-CVE-2021-42856