CVE-2021-20690

Vulnerability

Yomi-Search Ver4.22, a directory-type search engine tool provided by WonderLink, contains a cross-site scripting vulnerability (CWE-79) [1]. The vulnerability allows an attacker to inject an arbitrary script via unspecified vectors, meaning the specific input fields or parameters that can be exploited are not detailed in the available references [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL or input that, when accessed by a victim, causes the injected script to execute in the context of the victim's browser session [1]. The attacker does not require any special privileges or authentication, as the vulnerability is present in the publicly accessible web interface of Yomi-Search [1].

Impact

Successful exploitation results in arbitrary script execution within the web browser of any user accessing a website that uses the vulnerable Yomi-Search installation [1]. This can lead to information disclosure, session hijacking, or other client-side attacks depending on the injected script's actions.

Mitigation

The developer, WonderLink, has been unreachable since at least 2016, and no fix or patch has been provided [1]. The only recommended mitigation is to stop using Yomi-Search Ver4.22 entirely, as per the JPCERT/CC advisory [1]. No workaround exists, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.