CVE-2021-25978
Cross-site Scripting in apostrophe
5.4
MEDIUM
CVSS 3.1
EPSS 0.28%
Description
Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.
How to fix CVE-2021-25978
To remediate CVE-2021-25978, upgrade the affected package to a fixed version below.
- npm/apostrophe—upgrade to 3.4.0 or later
Is CVE-2021-25978 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2.63.0, < 3.4.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |