CVE-2021-31674

MEDIUM

Cyclos 4.0.0-4.14.7 - Unauthenticated DOM-Based Cross-Site Scripting via Undefined Enum Constant

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-31674. PoCs published by Tin Pham.

AI-analyzed exploit summary This exploit demonstrates a DOM-based XSS vulnerability in Cyclos 4.14.7 and prior versions. The attack leverages an undefined enum in the URL path to inject and execute arbitrary JavaScript code when a victim accesses the crafted URL.

Description

Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefine enum constant.

Exploits (1)

exploitdb WORKING POC

by Tin Pham · textwebappsmultiple

https://www.exploit-db.com/exploits/50908

View Code ZIP pw:eip

This exploit demonstrates a DOM-based XSS vulnerability in Cyclos 4.14.7 and prior versions. The attack leverages an undefined enum in the URL path to inject and execute arbitrary JavaScript code when a victim accesses the crafted URL.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Cyclos 4.14.7 and prior

No auth needed

Prerequisites: Victim must open the crafted URL

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Product x_refsource_misc

http://cyclos.com

Exploit, Third Party Advisory x_refsource_misc

https://tf1t.gitbook.io/mycve/cylos/cyclos-4.14.7-dom-based-cross-site-scripting-in-undefined-enum-cve-2021-31674

Exploit, Third Party Advisory x_refsource_misc

https://www.exploit-db.com/exploits/50908

Scores

CVSS v3 6.1

EPSS 0.0376

EPSS Percentile 88.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

cyclos/cyclos 4.0.0 - 4.14.7

Published May 02, 2022

Tracked Since Feb 18, 2026