CVE-2021-25978 MEDIUM

CVE-2021-25978: Apostrophe - XSS

Vendor Apostrophe
Product Apostrophe
Weakness CWE-79 · XSS
Published November 7, 2021
Last update April 30, 2025
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.

Key dates

02Disclosure timeline

November 7, 2021 CVE published
April 30, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-10590 Portabilis i-Educar educar_usuario_det.php cross site scripting CVE-2026-24389 WordPress Gallery PhotoBlocks plugin <= 1.3.2 - Cross Site Scripting (XSS) vulnerability CVE-2025-32135 WordPress Split Test For Elementor plugin <= 1.8.4 - Cross Site Scripting (XSS) vulnerability CVE-2025-46858 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2024-12499 WP jQuery DataTable <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting