CVE-2021-3694 HIGH

CVE-2021-3694: Cross-site Scripting (XSS) - Reflected in ledgersmb/ledgersmb

Vendor Ledgersmb
Product ledgersmb/ledgersmb
Weakness CWE-79 · XSS
Published August 23, 2021
Last update August 3, 2024
View on NVD All CVEs

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

Key dates

02Disclosure timeline

August 23, 2021 CVE published
August 3, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-5157 code-projects Online Food Ordering System Order order.php cross site scripting CVE-2023-4963 WS Facebook Like Box Widget <= 5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2025-31593 WordPress OpenMenu plugin <= 3.5 - Cross Site Scripting (XSS) vulnerability CVE-2025-54683 WordPress WP Modal Popup with Cookie Integration Plugin plugin <= 2.4 - Cross Site Scripting (XSS) Vulnerability CVE-2024-12337 Shipping via Planzer for WooCommerce <= 1.0.25 - Reflected Cross-Site Scripting via processed-ids