CVE-2021-25974: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

November 10, 2021 (updated November 12, 2021)

Publify is vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article.

References

github.com/publify/publify/commit/fefd5f76302adcc425b2b6e7e7d23587cfc0083e
nvd.nist.gov/vuln/detail/CVE-2021-25974
www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974

Code Behaviors & Features

Detect and mitigate CVE-2021-25974 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →