Skip to content

Instantly share code, notes, and snippets.

@IthacaLabs
Last active Feb 24, 2021
Embed
What would you like to do?
CVE-2021-3327
CVE-2021-3327
Description:
Ovation Dynamic Content Elementor 1.10.1 allows XSS attack via the "post_title" parameter.
Vulnerability Type:
Cross Site Scripting (XSS)
Product Vendor:
Ovation S.r.l
Affected Product:
Dynamic content for elementor version 1.10.1
Affected Component:
<input class="elementor-field elementor-field-textual elementor-size-lg" type="text" placeholder="" value="\"><script>alert(document.cookie)</script><\"" name="post_title" id="dce_view_f9fc119_post_title">
Attack Type:
Remote
CVE Impact:
JavaScript code execution, session hijacking, access controls bypass, and CSRF attacks.
Attack Vector:
This flow exists due to the improper sanitization and validation of a user controlled parameter value and interpreted by the web application.
Reference:
https://www.dynamic.ooo/
Discoverer:
IthacaLabs at Odyssey CyberSecurity
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment