CVE-2021-31673
Description
A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and before allows remote attackers to inject arbitrary web script or HTML via the groupId parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cyclos 4 PRO.14.7 and earlier are vulnerable to DOM-based XSS via the groupId parameter during registration, enabling remote attackers to inject arbitrary web scripts or HTML.
Vulnerability
A DOM-based cross-site scripting (XSS) vulnerability exists in the registration functionality of Cyclos 4 PRO.14.7 and earlier versions [1]. The flaw is triggered via the groupId parameter, where specially crafted input is not properly sanitized before being processed by the sink innerHTML in the file cyclos.gwt-0.js1, with the source being location.hash [1].
Exploitation
An attacker crafts a malicious URL containing a payload in the groupId parameter, such as [IP]/#users.users.public-registration!groupId=1%27%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E [1]. When a victim opens this URL, the injected JavaScript executes in the context of the victim's browser session [1]. No special network position or authentication is required; the attacker simply sends the URL to the victim (e.g., via phishing or social engineering).
Impact
Successful exploitation allows the remote attacker to execute arbitrary web scripts or HTML within the victim's browser [1]. This can lead to session hijacking, credential theft, defacement, or other actions that the victim's session privileges permit. The impact is limited to the user's browser context but can be used to compromise user accounts and sensitive data.
Mitigation
The vulnerability is confirmed in Cyclos 4 PRO.14.7 and before. According to the reference [1], the vendor was contacted in April 2021; as of the publication date (May 2022), the availability of a patched version is not specified in the available references. Users should apply any vendor-supplied updates if released, or consider input validation and output encoding for the groupId parameter as a workaround. No evidence of listing in CISA's Known Exploited Vulnerabilities catalog was found in the provided references.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Cyclos/Cyclosdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application reads the groupId parameter from location.hash and writes it directly into the DOM via innerHTML without sanitization, enabling DOM-based XSS."
Attack vector
An attacker crafts a malicious URL containing a `groupId` parameter with an XSS payload in the URL fragment, e.g., `[IP]/#users.users.public-registration!groupId=1%27%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E` [ref_id=1]. When the victim opens this link, the Cyclos application reads the `groupId` value from `location.hash` and writes it into the DOM via `innerHTML` without sanitization, causing the injected script to execute in the victim's browser context [ref_id=1]. No authentication or special privileges are required; the attacker only needs to deliver the crafted link to a victim.
Affected code
The vulnerability resides in the Cyclos GWT module file `cyclos.gwt-0.js`. The source is `location.hash` and the sink is `innerHTML` within that same file [ref_id=1]. The `groupId` parameter is read from the URL fragment and unsafely written into the DOM, enabling DOM-based XSS.
What the fix does
The advisory does not provide a patch or specific remediation code [ref_id=1]. To fix this DOM-based XSS, the application should sanitize or encode the `groupId` parameter value before inserting it into the DOM via `innerHTML`, or use safe DOM manipulation methods such as `textContent` instead of `innerHTML`. Input from `location.hash` should never be directly assigned to `innerHTML` without proper escaping.
Preconditions
- inputThe victim must open a crafted URL containing the malicious groupId parameter in the URL fragment.
- authNo authentication or special privileges required; the registration page is publicly accessible.
Reproduction
1. Craft a URL with the payload in the groupId parameter: `[IP]/#users.users.public-registration!groupId=1%27%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E` [ref_id=1]. 2. Send this URL to a victim. 3. When the victim opens the URL in a browser, the JavaScript payload executes, displaying an alert with the document domain [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- cyclos.commitrex_refsource_MISC
- packetstormsecurity.com/files/167040/Cyclos-4.14.7-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- tf1t.gitbook.io/mycve/cylos/cyclos-4.14.7-dom-based-cross-site-scripting-cve-2021-31673mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.