CVE-2021-41318

MEDIUM

Progress WhatsUp Gold < 21.1.0 - Unauthenticated Stored Cross-Site Scripting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-41318. PoCs published by Andreas Finstad.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in WhatsUpGold 21.0.3, where an SNMP device's sysContact field is manipulated to inject a malicious script. The script fetches and executes a remote JavaScript payload that creates a new administrator account via an unauthenticated API call.

Description

In Progress WhatsUp Gold prior to version 21.1.0, an application endpoint failed to adequately sanitize malicious input. which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser.

Exploits (1)

exploitdb WORKING POC
by Andreas Finstad · textwebappsmultiple
https://www.exploit-db.com/exploits/50366

This exploit demonstrates a stored XSS vulnerability in WhatsUpGold 21.0.3, where an SNMP device's sysContact field is manipulated to inject a malicious script. The script fetches and executes a remote JavaScript payload that creates a new administrator account via an unauthenticated API call.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: WhatsUpGold v.21.0.3, Build 188
No auth needed
Prerequisites: Access to an SNMP device on the target network · Ability to modify SNMPd.conf on the device · Network access to the WhatsUpGold server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.1
EPSS 0.0588
EPSS Percentile 92.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
progress/whatsupgold < 21.1.0
Published Sep 28, 2021
Tracked Since Feb 18, 2026