CVE-2021-47925

MEDIUM

CMDBuild 3.3.2 Multiple Stored Cross-Site Scripting

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47925. PoCs published by Hosein Vita.

AI-analyzed exploit summary The exploit demonstrates multiple stored XSS vulnerabilities in CMDBuild 3.3.2 via crafted SVG uploads and employee card parameters. It includes specific HTTP requests and payloads to trigger the XSS in the 'Employee' and 'Workplace' sections.

Description

CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file attachments in the classes endpoint, which execute when other users view the affected records or preview attachments.

Exploits (1)

exploitdb WORKING POC

by Hosein Vita · textwebappsmultiple

https://www.exploit-db.com/exploits/50527

View Code ZIP pw:eip

The exploit demonstrates multiple stored XSS vulnerabilities in CMDBuild 3.3.2 via crafted SVG uploads and employee card parameters. It includes specific HTTP requests and payloads to trigger the XSS in the 'Employee' and 'Workplace' sections.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: CMDBuild 3.3.2

Auth required

Prerequisites: low-privilege user access · ability to upload files or modify employee data

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 10, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-50527

https://www.exploit-db.com/exploits/50527

Product product

Official Product Homepage

https://www.cmdbuild.org

Product product

Product Reference

https://www.cmdbuild.org/en/download/latest-version

Third Party Advisory third-party-advisory

VulnCheck Advisory: CMDBuild 3.3.2 Multiple Stored Cross-Site Scripting

https://www.vulncheck.com/advisories/cmdbuild-multiple-stored-cross-site-scripting

Scores

CVSS v3 6.4

EPSS 0.0024

EPSS Percentile 14.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

Cmdbuild/CMDBuild CMDBuild 3.3.2

Published May 10, 2026

Tracked Since May 10, 2026