Vulnerability Details CVE-2021-32607
An issue was discovered in Smartstore (aka SmartStoreNET) through 4.1.1. Views/PrivateMessages/View.cshtml does not call HtmlUtils.SanitizeHtml on a private message.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.068
EPSS Ranking 90.9%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://blog.sonarsource.com/smartstorenet-malicious-message-leading-to-e-commerce-takeover/
- https://github.com/smartstore/SmartStoreNET/commit/5b4e60ae7124df0898975cb8f994f9f23db1fae3
- https://blog.sonarsource.com/smartstorenet-malicious-message-leading-to-e-commerce-takeover/
- https://github.com/smartstore/SmartStoreNET/commit/5b4e60ae7124df0898975cb8f994f9f23db1fae3
Products affected by CVE-2021-32607
-
cpe:2.3:a:smartstore:smartstore:1.2.0
-
cpe:2.3:a:smartstore:smartstore:1.2.1
-
cpe:2.3:a:smartstore:smartstore:2.0.0
-
cpe:2.3:a:smartstore:smartstore:2.0.1
-
cpe:2.3:a:smartstore:smartstore:2.0.2
-
cpe:2.3:a:smartstore:smartstore:2.1.0
-
cpe:2.3:a:smartstore:smartstore:2.1.1
-
cpe:2.3:a:smartstore:smartstore:2.2.0
-
cpe:2.3:a:smartstore:smartstore:2.2.1
-
cpe:2.3:a:smartstore:smartstore:2.2.2
-
cpe:2.3:a:smartstore:smartstore:2.5.0
-
cpe:2.3:a:smartstore:smartstore:2.6.0
-
cpe:2.3:a:smartstore:smartstore:3.0.0
-
cpe:2.3:a:smartstore:smartstore:3.0.1
-
cpe:2.3:a:smartstore:smartstore:3.0.2
-
cpe:2.3:a:smartstore:smartstore:3.0.3
-
cpe:2.3:a:smartstore:smartstore:3.1.0
-
cpe:2.3:a:smartstore:smartstore:3.1.5
-
cpe:2.3:a:smartstore:smartstore:3.2.0
-
cpe:2.3:a:smartstore:smartstore:3.2.1
-
cpe:2.3:a:smartstore:smartstore:3.2.2
-
cpe:2.3:a:smartstore:smartstore:4.0.0
-
cpe:2.3:a:smartstore:smartstore:4.0.1
-
cpe:2.3:a:smartstore:smartstore:4.1.0
-
cpe:2.3:a:smartstore:smartstore:4.1.1