CVE-2021-32828 MEDIUM

CVE-2021-32828: Regular expression Denial of Service in MooTools

Vendor Hyland
Product Nuxeo
Weakness CWE-502 · Unsafe deserialization
Published January 5, 2023
Last update March 10, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API.

Key dates

02Disclosure timeline

January 5, 2023 CVE published
March 10, 2025 Record updated