CVE-2021-44217

MEDIUM

Ericsson Codechecker < 6.18.0 - XSS

Title source: rule

Description

In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API.

Exploits (1)

nomisec WRITEUP

by Hyperkopite · poc

https://github.com/Hyperkopite/CVE-2021-44217

View Code ZIP pw:eip

References (5)

[Permissions Required] https://codechecker-demo.eastus.cloudapp.azure.com/

[Patch, Third Party Advisory] https://github.com/Ericsson/codechecker/pull/3549

[Release Notes, Third Party Advisory] https://github.com/Ericsson/codechecker/releases

[Exploit, Third Party Advisory] https://github.com/Hyperkopite/CVE-2021-44217/blob/main/README.md

[Third Party Advisory] https://user-images.githubusercontent.com/9525971/142965091-e118b012-a7fc-4c2f-ad0c-80aeed6f7ec9.png

Scores

CVSS v3 6.1

EPSS 0.0074

EPSS Percentile 73.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

ericsson/codechecker < 6.18.0

pypi/codechecker 0 - 6.18.2PyPI

Published Jan 18, 2022

Tracked Since Feb 18, 2026