How severe is CVE-2021-24229?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.6 out of 10.

What type of vulnerability is CVE-2021-24229?

This is classified as CWE-79, which is a common weakness in software security.

CVE-2021-24229 - CRITICAL Severity | CVSS 9.6

Vulnerability Description

The Jetpack Scan team identified a Reflected Cross-Site Scripting via the patreon_save_attachment_patreon_level AJAX action of the Patreon WordPress plugin before 1.7.2. This AJAX hook is used to update the pledge level required by Patreon subscribers to access a given attachment. This action is accessible for user accounts with the ‘manage_options’ privilege (i.e.., only administrators). Unfortunately, one of the parameters used in this AJAX endpoint is not sanitized before being printed back to the user, so the risk it represents is the same as the previous XSS vulnerability.

Related Vulnerabilities

CVE-2011-3642

CRITICAL

CVSS:9.6(Critical)

Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16, as used in the News system (news) extension for TYPO3 and Mahara, allows remote attackers to inject arbitrary web scr...

CWE-792011

CVE-2014-5039

CRITICAL

CVSS:9.6(Critical)

Cross-site scripting (XSS) vulnerability in Eucalyptus Management Console (EMC) 4.0.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CWE-792014

CVE-2015-10073

CRITICAL

CVSS:9.6(Critical)

A vulnerability, which was classified as problematic, was found in tinymighty WikiSEO 1.2.1 on MediaWiki. This affects the function modifyHTML of the file WikiSEO.body.php of the component Meta Proper...

CWE-792015

CVE-2015-20105

CRITICAL

CVSS:9.6(Critical)

The ClickBank Affiliate Ads WordPress plugin through 1.20 does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due t...

CWE-792015

CVE-2018-18864

CRITICAL

CVSS:9.6(Critical)

Loadbalancer.org Enterprise VA MAX before 8.3.3 has XSS because Apache HTTP Server logs are displayed.

CWE-792018

CVE-2019-13363

CRITICAL

CVSS:9.6(Critical)

admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail&...

CWE-792019