CVE-2021-41236

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/oro/platform

Identifiers

CVE-2021-41236, GHSA-qv7g-j98v-8pp7

Package Slug

packagist/oro/platform

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

OroPlatform is a PHP Business Application Platform.An attacker must have permission to create or edit an email template. For successful payload, execution the attacked user must preview a vulnerable email template. There are no workarounds that address this vulnerability. Users are advised to upgrade as soon as is possible.

Affected Versions

All versions starting from 3.1.0 before 3.1.21, all versions starting from 4.1.0 before 4.1.14, all versions starting from 4.2.0 before 4.2.8

Solution

Upgrade to versions 4.0.0, 4.2.8 or above.

Last Modified

2022-01-10

source