CVE-2021-44082

textpattern 4.8.7 is vulnerable to Cross Site Scripting (XSS) via /textpattern/index.php,Body. A remote and unauthenticated attacker can use XSS to trigger remote code execution by uploading a webshell. To do so they must first steal the CSRF token before submitting a file upload request.

Published: Mar 30, 2022
Updated: Apr 14, 2023
CVE: CVE-2021-44082
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.3
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
textpattern / textpattern	4.8.7	4.8.7.x

https://pentest.co.uk/labs/leveraging-xss-to-get-rce-in-textpattern/
https://www.cornerpirate.com
https://www.pentest.co.uk

Vulnerability Database

290,020

CVE-2021-44082