CVE-2021-21494

MK-AUTH through 19.01 K4.9 allows XSS via the admin/logs_ajax.php tipo parameter. An attacker can leverage this to read the centralmka2 (session token) cookie, which is not set to HTTPOnly.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
VendorProductVersion
mk-authmk-auth
𝑥
≤ 19.01
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://mk-auth.com.br/
https://gist.github.com/alacerda/380b8923e36a29a02ba1457c1eb3ec2f
http://mk-auth.com.br/
https://gist.github.com/alacerda/380b8923e36a29a02ba1457c1eb3ec2f