CVE-2021-30150

MEDIUM

Composr 10.0.36 - Cross-Site Scripting in XML Script

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-30150. PoCs published by Orion Hridoy.

AI-analyzed exploit summary This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in Composr CMS 10.0.36 by injecting a malicious script via the 'default' parameter in the 'data/ajax_tree.php' endpoint. The payload uses an XML namespace to bypass input validation and execute arbitrary JavaScript.

Description

Composr 10.0.36 allows XSS in an XML script.

Exploits (1)

exploitdb WORKING POC
by Orion Hridoy · textwebappsphp
https://www.exploit-db.com/exploits/49749

This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in Composr CMS 10.0.36 by injecting a malicious script via the 'default' parameter in the 'data/ajax_tree.php' endpoint. The payload uses an XML namespace to bypass input validation and execute arbitrary JavaScript.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Composr CMS 10.0.36
No auth needed
Prerequisites: Access to the vulnerable endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://gitlab.com/composr-foundation/composr/commit/833a06466
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/162111/Composr-CMS-10.0.36-Cross-Site-Scripting.html

Scores

CVSS v3 6.1
EPSS 0.0278
EPSS Percentile 84.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
ocproducts/composr 10.0.36
Published Apr 06, 2021
Tracked Since Feb 18, 2026