CVE-2021-31673

MEDIUM

Cyclos 4.0.0-4.14.7 - DOM-Based Cross-Site Scripting via Registration GroupId Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-31673. PoCs published by Tin Pham.

AI-analyzed exploit summary This is a writeup describing a DOM-based XSS vulnerability in Cyclos 4.14.7 and prior versions. The vulnerability allows remote attackers to inject arbitrary web scripts or HTML via the 'groupId' parameter during user registration.

Description

A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and before allows remote attackers to inject arbitrary web script or HTML via the groupId parameter.

Exploits (1)

exploitdb WRITEUP

by Tin Pham · textwebappsmultiple

https://www.exploit-db.com/exploits/50909

View Code ZIP pw:eip

This is a writeup describing a DOM-based XSS vulnerability in Cyclos 4.14.7 and prior versions. The vulnerability allows remote attackers to inject arbitrary web scripts or HTML via the 'groupId' parameter during user registration.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Cyclos 4.14.7 (and prior)

No auth needed

Prerequisites: Victim must open a crafted URL

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Not Applicable x_refsource_misc

http://cyclos.com

Exploit, Third Party Advisory x_refsource_misc

https://tf1t.gitbook.io/mycve/cylos/cyclos-4.14.7-dom-based-cross-site-scripting-cve-2021-31673

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/167040/Cyclos-4.14.7-Cross-Site-Scripting.html

Scores

CVSS v3 6.1

EPSS 0.0335

EPSS Percentile 87.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

cyclos/cyclos 4.0.0 - 4.14.7

Published May 02, 2022

Tracked Since Feb 18, 2026