CVE-2021-40924
Description
Cross-site scripting (XSS) vulnerability in install/index.php in bugs 1.8 and below version allows remote attackers to inject arbitrary web script or HTML via the first_name parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- bugs/bugsdescription
Patches
Vulnerability mechanics
Root cause
"Missing output sanitization in install/index.php allows user-controlled POST parameters to be echoed directly into HTML without escaping."
Attack vector
An attacker crafts a malicious form (or a crafted URL) that submits a `POST` request to `install/index.php` with a payload in the `first_name`, `last_name`, or `email` parameter [ref_id=2]. The payload, such as `test"/>
Affected code
The vulnerable code is in `install/index.php`. The `first_name`, `last_name`, and `email` parameters from `$_POST` are echoed directly into the `value` attribute of `
What the fix does
No patch is provided in the bundle. The advisory [ref_id=2] identifies that the `first_name`, `last_name`, and `email` parameters are echoed without sanitization. The remediation would require escaping output with `htmlspecialchars()` (or equivalent) before inserting user input into HTML attributes, and validating or sanitizing input on the server side.
Preconditions
- networkThe attacker must coerce a victim into visiting a crafted link or submitting a malicious form to the install/index.php page.
- inputThe victim must have access to the Bugs installation page (install/index.php).
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/pixeline/bugs/issues/552mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.