CVE-2021-24323

MEDIUM4.8EPSS 0.38%

Woocommerce Cross-site Scripting via Additional tax classes field when taxes are enabled

發布日:2022/5/24修改日:2024/2/16

描述

When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled

受影響套件(1)

Packagist/woocommerce/woocommercefrom 0, < 5.2.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-24323
PATCHhttps://github.com/woocommerce/woocommerce
WEBhttps://github.com/woocommerce/woocommerce/commit/6ede8c5f59aec3ca70aa27d1ffd5a6574473f2ce
WEBhttps://wpscan.com/vulnerability/6d262555-7ae4-4e36-add6-4baa34dc3010