An issue was discovered in Form Tools through 3.0.20. When an administrator creates a customer account, it is possible for the customer to log in and proceed with a change of name and last name. However, these fields are vulnerable to XSS payload insertion, being triggered in the admin panel when the admin tries to see the client list. This type of XSS (stored) can lead to the extraction of the PHPSESSID cookie belonging to the admin.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-08-31T04:05:12

Updated: 2024-08-04T01:37:15.528Z

Reserved: 2021-08-05T00:00:00

Link: CVE-2021-38143

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-08-31T05:15:06.563

Modified: 2024-11-21T06:16:28.323

Link: CVE-2021-38143

cve-icon Redhat

No data.