CVE-2021-31674

MEDIUM

Cyclos < 4.14.7 - XSS

Title source: rule

Description

Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefine enum constant.

Exploits (1)

exploitdb WORKING POC

by Tin Pham · textwebappsmultiple

https://www.exploit-db.com/exploits/50908

View Code ZIP pw:eip

References (3)

[Product] http://cyclos.com

[Exploit, Third Party Advisory] https://tf1t.gitbook.io/mycve/cylos/cyclos-4.14.7-dom-based-cross-site-scripting-in-undefined-enum-cve-2021-31674

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/50908

Scores

CVSS v3 6.1

EPSS 0.0216

EPSS Percentile 84.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

cyclos/cyclos 4.0.0 - 4.14.7

Published May 02, 2022

Tracked Since Feb 18, 2026