CVE-2021-32853

MEDIUM NUCLEI

Erxes <0.22.3 - XSS

Title source: llm

Description

Erxes, an experience operating system (XOS) with a set of plugins, is vulnerable to cross-site scripting in versions 0.22.3 and prior. This results in client-side code execution. The victim must follow a malicious link or be redirected there from malicious web site. There are no known patches.

Nuclei Templates (1)

Erxes <0.23.0 - Cross-Site Scripting

CRITICALby dwisiswant0

Shodan: http.title:"erxes"

FOFA: title="erxes"

References (3)

[Exploit, Issue Tracking] https://github.com/erxes/erxes/blob/f131b49add72032650d483f044d00658908aaf4a/widgets/server/index.ts#L54

View Exploit ZIP pw:eip

[Exploit, Issue Tracking] https://github.com/erxes/erxes/blob/f131b49add72032650d483f044d00658908aaf4a/widgets/server/views/widget.ejs#L14

[Exploit, Third Party Advisory] https://securitylab.github.com/advisories/GHSL-2021-103-erxes/

Scores

CVSS v3 6.1

EPSS 0.8452

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

erxes/erxes < 0.22.3

npm/erxes 0npm

Published Feb 20, 2023

Tracked Since Feb 18, 2026