CVE-2021-21494

EUVD-2021-8767
MK-AUTH through 19.01 K4.9 allows XSS via the admin/logs_ajax.php tipo parameter. An attacker can leverage this to read the centralmka2 (session token) cookie, which is not set to HTTPOnly.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 40%
Affected Products (NVD)
VendorProductVersion
mk-authmk-auth
𝑥
≤ 19.01
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://mk-auth.com.br/
https://gist.github.com/alacerda/380b8923e36a29a02ba1457c1eb3ec2f
http://mk-auth.com.br/
https://gist.github.com/alacerda/380b8923e36a29a02ba1457c1eb3ec2f