CVE-2021-38699

MEDIUM

TastyIgniter 3.0.7 - Cross-Site Scripting via Account, Reservation, and Admin Pages

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-38699. PoCs published by HuskyHacks, Justin-1993.

AI-analyzed exploit summary The repository provides functional proof-of-concept exploit code for CVE-2021-38699, demonstrating multiple reflected XSS vulnerabilities in TastyIgniter v3.0.7. It includes detailed HTTP request examples targeting the admin dashboard, media manager, and location search parameters.

Description

TastyIgniter 3.0.7 allows XSS via /account, /reservation, /admin/dashboard, and /admin/system_logs.

Exploits (3)

nomisec WORKING POC 5 stars
by HuskyHacks · poc
https://github.com/HuskyHacks/CVE-2021-38699-Reflected-XSS

The repository provides functional proof-of-concept exploit code for CVE-2021-38699, demonstrating multiple reflected XSS vulnerabilities in TastyIgniter v3.0.7. It includes detailed HTTP request examples targeting the admin dashboard, media manager, and location search parameters.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: TastyIgniter v3.0.7
Auth required
Prerequisites: Authenticated admin session · Access to the TastyIgniter admin dashboard
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 4 stars
by Justin-1993 · poc
https://github.com/Justin-1993/CVE-2021-38699

The repository describes a stored XSS vulnerability in TastyIgniter v3.0.7, detailing vulnerable pages and payloads. It lacks exploit code but provides technical specifics about the vulnerability.

Classification
Writeup 80%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: TastyIgniter v3.0.7
No auth needed
Prerequisites: Access to vulnerable pages (/account, /reservation, etc.)
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 3 stars
by HuskyHacks · poc
https://github.com/HuskyHacks/CVE-2021-38699-Stored-XSS

This repository documents a stored XSS vulnerability in TastyIgniter v3.0.7, where malicious payloads executed elsewhere in the application are logged and re-triggered when viewing the System Logs section. The PoC involves exploiting a reflected XSS first, then observing the stored execution in logs.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: TastyIgniter v3.0.7
Auth required
Prerequisites: Authenticated access to TastyIgniter · Ability to trigger reflected XSS elsewhere in the application
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6
Core References
Product x_refsource_misc
https://tastyigniter.com/support
Exploit, Third Party Advisory x_refsource_misc
https://github.com/Justin-1993/CVE-2021-38699
Exploit, Third Party Advisory x_refsource_misc
https://pentesternotes.com/?p=209
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/163843/TastyIgniter-3.0.7-Cross-Site-Scripting.html
Exploit, Third Party Advisory x_refsource_misc
https://github.com/HuskyHacks/CVE-2021-38699-Reflected-XSS
Exploit, Third Party Advisory x_refsource_misc
https://github.com/HuskyHacks/CVE-2021-38699-Stored-XSS

Scores

CVSS v3 5.4
EPSS 0.0798
EPSS Percentile 94.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
tastyigniter/tastyigniter 3.0.7
Published Aug 15, 2021
Tracked Since Feb 18, 2026