CVE-2021-37365
MEDIUMCTparental < 4.45.03 - Cross-Site Scripting via 'cat' Query Parameter in bl_categories_help.php
Title source: llmDescription
CTparental before 4.45.03 is vulnerable to cross-site scripting (XSS) in the CTparental admin panel. In bl_categires_help.php, the 'categories' variable is assigned with the content of the query string param 'cat' without sanitization or encoding, enabling an attacker to inject malicious code into the output webpage.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://gitlab.com/marsat/CTparental/
Third Party Advisory x_refsource_misc
https://gist.github.com/securylight/092ba96a660e07ad76f2a380c2eaa75a
Scores
CVSS v3
6.1
EPSS
0.0069
EPSS Percentile
48.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
ctparental_project/ctparental
< 4.45.03
Published
Aug 10, 2021
Tracked Since
Feb 18, 2026