CVE-2021-3210
CRITICALBloodHound <= 4.0.1 - Remote Code Execution via Malicious Data File Import
Title source: llmDescription
components/Modals/HelpTexts/GenericAll/GenericAll.jsx in Bloodhound <= 4.0.1 allows remote attackers to execute arbitrary system commands when the victim imports a malicious data file containing JavaScript in the objectId parameter.
References (3)
Core 3
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/BloodHoundAD/BloodHound/issues/338
Exploit, Third Party Advisory x_refsource_misc
https://github.com/BloodHoundAD/BloodHound/blob/338e197dc4b7a1ee929c335141172ada5bc80800/src/components/Modals/HelpTexts/GenericAll/GenericAll.jsx#L31-L37
Exploit, Third Party Advisory x_refsource_misc
https://github.com/BloodHoundAD/BloodHound/blob/338e197dc4b7a1ee929c335141172ada5bc80800/src/components/Modals/HelpModal.jsx#L57
Scores
CVSS v3
9.6
EPSS
0.0270
EPSS Percentile
84.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-79
Status
published
Products (1)
bloodhound_project/bloodhound
< 4.0.1
Published
Feb 19, 2021
Tracked Since
Feb 18, 2026