CVE-2021-41236 MEDIUM

CVE-2021-41236: XSS vulnerability in oro/platform

Vendor Oroinc
Product platform
Weakness CWE-79 · XSS
Published January 4, 2022
Last update April 23, 2025
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

OroPlatform is a PHP Business Application Platform. In affected versions the email template preview is vulnerable to XSS payload added to email template content. An attacker must have permission to create or edit an email template. For successful payload, execution the attacked user must preview a vulnerable email template. There are no workarounds that address this vulnerability. Users are advised to upgrade as soon as is possible.

Key dates

02Disclosure timeline

January 4, 2022 CVE published
April 23, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-41949 WordPress iFolders Plugin <= 1.5.0 is vulnerable to Cross Site Scripting (XSS) CVE-2023-2340 Cross-site Scripting (XSS) - Stored in pimcore/pimcore CVE-2025-22683 WordPress NotificationX plugin <= 2.9.5 - Cross Site Scripting (XSS) vulnerability CVE-2021-24934 Visual CSS Style Editor < 7.5.4 - Reflected Cross-Site Scripting CVE-2025-0321 ElementsKit Pro <= 3.7.8 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via url Parameter