CVE-2021-47925

Vulnerability

Overview

CMDBuild 3.3.2 contains multiple stored cross-site scripting (XSS) vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML. The root cause is improper neutralization of user-supplied input during web page generation (CWE-79) [4]. Attackers can inject payloads through Employee card parameters (e.g., Code, Surname, Name) or by uploading SVG file attachments in the classes endpoint [classes] endpoint [2].

Exploitation

An attacker with a low-privilege account can exploit these vulnerabilities. For the Employee card vector, the attacker adds a new Employee card and inserts XSS payloads into fields such as Code, Surname, or Name. When another user views the affected record or opens the relation graph, the payload executes [2]. For the file upload vector via file upload, the attacker uploads a crafted SVG file as an attachment to a Workplace card; the payload triggers when a victim previews the attachment or opens it in a new tab [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information displayed within the CMDBuild application. The CVSS v3 base score is 6.4 (Medium) [4], reflecting the need for authentication and user interaction.

Mitigation

The vendor has released CMDBuild 4.2.0, which addresses these vulnerabilities [3]. Users are strongly advised to upgrade to the latest version. No workarounds are documented in the available references.