CVE-2021-25988 - Vulnerability Details - OpenCVE

In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
If-me	Ifme

Configuration 1 [-]

cpe:2.3:a:if-me:ifme:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988

History

Wed, 30 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Mend

Published: 2021-12-29T09:10:14.710Z

Updated: 2025-04-30T15:44:07.124Z

Reserved: 2021-01-22T00:00:00.000Z

Link: CVE-2021-25988

Vulnrichment

Updated: 2024-08-03T20:19:19.487Z

NVD

Status : Modified

Published: 2021-12-29T09:15:09.150

Modified: 2024-11-21T05:55:44.560

Link: CVE-2021-25988

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ifme", "vendor": "ifmeorg", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "1.0.0", "versionType": "custom"}, {"lessThanOrEqual": "v7.31.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "WhiteSource Vulnerability Research Team (WVR)"}], "datePublic": "2021-12-26T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-29T09:10:14.000Z", "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c"}, {"tags": ["x_refsource_MISC"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988"}], "solutions": [{"lang": "en", "value": "Update version to v7.32 or later"}], "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}, "title": "ifme - Stored Cross-Site Scripting (XSS) in Notifications section", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "DATE_PUBLIC": "2021-12-26T16:07:00.000Z", "ID": "CVE-2021-25988", "STATE": "PUBLIC", "TITLE": "ifme - Stored Cross-Site Scripting (XSS) in Notifications section"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ifme", "version": {"version_data": [{"version_affected": ">=", "version_value": "1.0.0"}, {"version_affected": "<=", "version_value": "v7.31.4"}]}}]}, "vendor_name": "ifmeorg"}]}}, "credit": [{"lang": "eng", "value": "WhiteSource Vulnerability Research Team (WVR)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c", "refsource": "MISC", "url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c"}, {"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988", "refsource": "MISC", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988"}]}, "solution": [{"lang": "en", "value": "Update version to v7.32 or later"}], "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:19:19.487Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-30T15:27:33.691663Z", "id": "CVE-2021-25988", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-30T15:44:07.124Z"}}]}, "cveMetadata": {"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "cveId": "CVE-2021-25988", "datePublished": "2021-12-29T09:10:14.710Z", "dateReserved": "2021-01-22T00:00:00.000Z", "dateUpdated": "2025-04-30T15:44:07.124Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:19:19.487Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-25988", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-30T15:27:33.691663Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-30T15:30:29.946Z"}}], "cna": {"title": "ifme - Stored Cross-Site Scripting (XSS) in Notifications section", "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "WhiteSource Vulnerability Research Team (WVR)"}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "ifmeorg", "product": "ifme", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "v7.31.4"}]}], "solutions": [{"lang": "en", "value": "Update version to v7.32 or later"}], "datePublic": "2021-12-26T00:00:00.000Z", "references": [{"url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c", "tags": ["x_refsource_MISC"]}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend", "dateUpdated": "2021-12-29T09:10:14.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "WhiteSource Vulnerability Research Team (WVR)"}], "impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.0.0", "version_affected": ">="}, {"version_value": "v7.31.4", "version_affected": "<="}]}, "product_name": "ifme"}]}, "vendor_name": "ifmeorg"}]}}, "solution": [{"lang": "en", "value": "Update version to v7.32 or later"}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c", "name": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c", "refsource": "MISC"}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988", "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-25988", "STATE": "PUBLIC", "TITLE": "ifme - Stored Cross-Site Scripting (XSS) in Notifications section", "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "DATE_PUBLIC": "2021-12-26T16:07:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2021-25988", "state": "PUBLISHED", "dateUpdated": "2025-04-30T15:44:07.124Z", "dateReserved": "2021-01-22T00:00:00.000Z", "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "datePublished": "2021-12-29T09:10:14.710Z", "assignerShortName": "Mend"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:if-me:ifme:*:*:*:*:*:*:*:*", "matchCriteriaId": "BBBE8184-93D5-4631-8C5F-61E5A0A3CA3B", "versionEndIncluding": "7.31.4", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin."}, {"lang": "es", "value": "En \"ifme\", versiones 1.0.0 a v7.31.4, son suceptibles ante una vulnerabilidad de tipo XSS almacenada (secci\u00f3n de notificaciones) que puede ser desencadenada directamente mediante el env\u00edo de una petici\u00f3n de aliado al administrador"}], "id": "CVE-2021-25988", "lastModified": "2024-11-21T05:55:44.560", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "vulnerabilitylab@mend.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-29T09:15:09.150", "references": [{"source": "vulnerabilitylab@mend.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c"}, {"source": "vulnerabilitylab@mend.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988"}], "sourceIdentifier": "vulnerabilitylab@mend.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "vulnerabilitylab@mend.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}