CVE-2021-47950

Description

Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the s_emotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in the s_emotion field, which executes when administrators view the smilies tab.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

Passive

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

Low

Integrity (Subsequent System)

Low

Availability (Subsequent System)

None

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected products

Ampps / Advanced Guestbook2.4.4 – 2.4.4

References

EXPLOIThttps://www.exploit-db.com/exploits/49875
MISChttps://www.ampps.com/apps/guestbooks/Advanced_Guestbook
VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/advanced-guestbook-persistent-xss-via-smilies