CVE-2021-32853 MEDIUM

CVE-2021-32853: Erxes vulnerable to Cross-site Scripting

Vendor Npm

Product erxes

Weakness CWE-79 · XSS

Published February 20, 2023

Last update March 10, 2025

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Erxes, an experience operating system (XOS) with a set of plugins, is vulnerable to cross-site scripting in versions 0.22.3 and prior. This results in client-side code execution. The victim must follow a malicious link or be redirected there from malicious web site. There are no known patches.

Key dates

02Disclosure timeline

February 20, 2023 CVE published

March 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-32853

Related vulnerabilities

04Related CVE

CVE-2021-3539 EspoCRM Avatar Persistent XSS CVE-2026-27746 SPIP jeux < 4.1.1 Reflected XSS via index Parameters CVE-2026-0738 Shortcodes Ultimate <= 7.4.8 - authenticated (Contributor+) Stored Cross-Site Scripting via 'su_carousel' Shortcode CVE-2025-7946 PHPGurukul Apartment Visitors Management System HTTP POST Request search-visitor.php cross site scripting CVE-2026-7509 KIA Subtitle <= 4.0.1 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]