CVE-2020-21993

In WEMS Limited Enterprise Manager 2.58, input passed to the GET parameter 'email' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site.

Published: Apr 28, 2021
Updated: Apr 14, 2023
CVE: CVE-2020-21993
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
wems / enterprise_manager	2.58.8903	2.58.8903.x
wems / enterprise_manager	2.55.8806	2.55.8806.x
wems / enterprise_manager	2.55.8782	2.55.8782.x
wems / enterprise_manager	2.19.7959	2.19.7959.x

https://cxsecurity.com/issue/WLB-2020010032
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5551.php

Vulnerability Database

289,599

CVE-2020-21993