Vulnerability Details CVE-2021-21494
MK-AUTH through 19.01 K4.9 allows XSS via the admin/logs_ajax.php tipo parameter. An attacker can leverage this to read the centralmka2 (session token) cookie, which is not set to HTTPOnly.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 41.3%
CVSS Severity
CVSS v3 Score 4.8
CVSS v2 Score 3.5
References