CVE-2021-47743

The COMMAX Biometric Access Control System version 1.0.0 contains an unauthenticated reflected cross-site scripting (XSS) vulnerability in the cookie parameters CMX_ADMIN_NM and CMX_COMPLEX_NM. Input passed to these cookies is not properly sanitized before being reflected back to the user, allowing injection of arbitrary HTML and JavaScript code.[2][3]

An attacker can exploit this by crafting malicious cookie values and enticing a victim to visit a page on the affected system where the cookies are reflected—for example, /db_dump.php as shown in the proof-of-concept.[3] The attack does not require authentication and can be executed simply by luring the victim to a specially crafted link or using social engineering to set the cookies.

Successful exploitation enables arbitrary script execution in the victim's browser within the context of the affected site. This can lead to session hijacking, defacement, or redirection to malicious content. The vulnerability was disclosed by Gjoko 'LiquidWorm' Krstic via Zero Science Lab.[2][4]

As of the latest publication, no official patch has been released. The vendor has not provided a fix, so organizations using this system should restrict access to the web interface, apply proper input validation, and monitor for suspicious activity. The CVE is not currently listed on the CISA KEV catalog.[1][4]