CVE-2021-40492

MEDIUM

Gibbon 22 - Reflected Cross-Site Scripting via gibbonCourseClassID Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-40492. PoCs published by 5qu1n7.

AI-analyzed exploit summary This repository contains a working proof-of-concept for CVE-2021-40492, demonstrating reflected XSS vulnerabilities in Gibbon version 22. The payloads exploit multiple parameters to execute arbitrary JavaScript.

Description

A reflected XSS vulnerability exists in multiple pages in version 22 of the Gibbon application that allows for arbitrary execution of JavaScript (gibbonCourseClassID, gibbonPersonID, subpage, currentDate, or allStudents to index.php).

Exploits (1)

nomisec WORKING POC 1 stars
by 5qu1n7 · poc
https://github.com/5qu1n7/CVE-2021-40492

This repository contains a working proof-of-concept for CVE-2021-40492, demonstrating reflected XSS vulnerabilities in Gibbon version 22. The payloads exploit multiple parameters to execute arbitrary JavaScript.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Gibbon version 22
No auth needed
Prerequisites: Access to vulnerable Gibbon instance
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory x_refsource_misc
https://gibbonedu.org/
Third Party Advisory x_refsource_misc
https://github.com/5qu1n7/CVE-2021-40492

Scores

CVSS v3 6.1
EPSS 0.0232
EPSS Percentile 81.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
gibbonedu/gibbon 22.0.00
Published Sep 03, 2021
Tracked Since Feb 18, 2026