How severe is CVE-2021-21422?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.1 out of 10.

What type of vulnerability is CVE-2021-21422?

This is classified as CWE-79, which is a common weakness in software security.

CVE-2021-21422 - MEDIUM Severity | CVSS 6.1

Vulnerability Description

mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell. 2: Data cells identified as media will be rendered as media, without being sanitized. Example of different renders: image, audio, video, etc. As an example of type 1 attack, an unauthorized user who only can send a large amount of data in a field of a document may use a payload with embedded javascript. This could send an export of a collection to the attacker without even an admin knowing. Other types of attacks such as dropping a database\collection are possible.

Related Vulnerabilities

CVE-2005-2350

MEDIUM

CVSS:6.1(Medium)

Cross-site scripting (XSS) vulnerability in websieve v0.62 allows remote attackers to inject arbitrary web script or HTML code in the web user interface.

CWE-792005

CVE-2006-5632

MEDIUM

CVSS:6.1(Medium)

Cross-site scripting (XSS) vulnerability in change_pass.php in iG Shop 1.4 allows remote attackers to inject arbitrary web script or HTML via the id parameter, a different vulnerability than CVE-2006-...

CWE-792006

CVE-2006-5847

MEDIUM

CVSS:6.1(Medium)

Cross-site scripting (XSS) vulnerability in index.php in FreeWebshop 2.2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the cat parameter.

CWE-792006

CVE-2007-3484

MEDIUM

CVSS:6.1(Medium)

Cross-site scripting (XSS) vulnerability in search.php in Google Custom Search Engine allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: this issue is disputed b...

CWE-792007

CVE-2007-4465

MEDIUM

CVSS:6.1(Medium)

Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitr...

CWE-792007

CVE-2007-5817

MEDIUM

CVSS:6.1(Medium)

dialog.php in CONTENTCustomizer 3.1mp and earlier allows remote attackers to perform certain privileged actions via a (1) del, (2) delbackup, (3) res, or (4) ren action. NOTE: this issue can be levera...

CWE-792007