CVE-2021-32828
MEDIUMNuxeo < 11.5.109 - Reflected Cross-Site Scripting and Remote Code Execution via OAuth2 REST API
Title source: llmDescription
The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://github.com/nuxeo/nuxeo/blob/master/modules/platform/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/webengine/oauth2/OAuth2Callback.java
Exploit, Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2021-072-nuxeo
Scores
CVSS v3
5.4
EPSS
0.0071
EPSS Percentile
48.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-502
CWE-79
Status
published
Products (2)
hyland/nuxeo
< 11.5.109
org.nuxeo.ecm.platform/nuxeo-platform-oauth
0Maven
Published
Jan 05, 2023
Tracked Since
Feb 18, 2026