CVE-2021-32828

MEDIUM

Nuxeo Platform <11.5.109 - XSS

Title source: llm

Description

The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API.

References (2)

[Exploit, Third Party Advisory] https://github.com/nuxeo/nuxeo/blob/master/modules/platform/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/webengine/oauth2/OAuth2Callback.java

View Exploit ZIP pw:eip

[Exploit, Third Party Advisory] https://securitylab.github.com/advisories/GHSL-2021-072-nuxeo

Scores

CVSS v3 5.4

EPSS 0.0032

EPSS Percentile 54.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-502 CWE-79

Status published

Affected Products (2)

hyland/nuxeo < 11.5.109

org.nuxeo.ecm.platform/nuxeo-platform-oauth Maven

Timeline

Published Jan 05, 2023

Tracked Since Feb 18, 2026