5.4

CVE-2021-33570

Exploit
Postbird 0.8.4 allows stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table. This can result in reading local files via vectors involving XMLHttpRequest and open of a file:/// URL, or discovering PostgreSQL passwords via vectors involving Window.localStorage and savedConnections.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Postbird ProjectPostbird Version0.8.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.71% 0.817
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/Paxa/postbird/issues/132
Third Party Advisory
Issue Tracking
https://github.com/Paxa/postbird/issues/133
Third Party Advisory
Issue Tracking
https://github.com/Paxa/postbird/issues/134
Third Party Advisory
Issue Tracking
https://github.com/Tridentsec-io/postbird
Third Party Advisory
Exploit
https://tridentsec.io/blogs/postbird-cve-2021-33570/
Third Party Advisory
Broken Link
URL Repurposed
https://www.exploit-db.com/exploits/49910
Third Party Advisory
Exploit
VDB Entry