SB2021081803 - Multiple vulnerabilities in xArrow
Published: August 18, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2021-33021)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "edate" parameter in xhisalarm.htm. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Cross-site scripting (CVE-ID: CVE-2021-33001)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "bdate" parameter in xhisvalue.htm. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-33025)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the affected product permits unvalidated registry keys to be run with application-level privileges., which leads to security restrictions bypass and privilege escalation.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.