Plattform
php
Komponente
getsimple-custom-js
Behoben in
0.1.1
CVE-2021-47860 describes a cross-site scripting (XSS) vulnerability discovered in the Custom JS plugin for GetSimple CMS, specifically affecting version 0.1. This vulnerability allows unauthenticated attackers to inject arbitrary client-side code into the browsers of authenticated administrators. Exploitation could lead to unauthorized access, data theft, or even remote code execution on the hosting server, highlighting the need for immediate remediation.
The primary impact of CVE-2021-47860 is the potential for an attacker to execute malicious JavaScript code within the context of an administrator's session. This could allow an attacker to steal sensitive information, such as login credentials or administrative settings. Furthermore, the attacker could modify website content, redirect users to malicious sites, or even gain control of the server itself. The lack of authentication required for exploitation significantly broadens the attack surface, making it easier for attackers to target vulnerable installations. Successful exploitation could have a significant impact on the confidentiality, integrity, and availability of the GetSimple CMS website and its associated data.
CVE-2021-47860 was publicly disclosed on 2026-01-21. Currently, there are no known active exploitation campaigns targeting this vulnerability. No public proof-of-concept (POC) code has been released, but the vulnerability's nature makes it relatively straightforward to exploit. The vulnerability is not currently listed on the CISA KEV catalog.
Administrators of GetSimple CMS websites using the Custom JS plugin version 0.1 are at significant risk. Shared hosting environments where multiple websites share the same server are particularly vulnerable, as a compromise of one website could potentially lead to the compromise of others. Websites relying on the Custom JS plugin for critical functionality are also at higher risk.
• php: Examine the Custom JS plugin files for suspicious JavaScript code, particularly functions that handle user input. Use grep to search for potentially malicious patterns like eval() or document.write.
grep -r 'eval\(' /path/to/customjs/plugin/• generic web: Monitor access logs for unusual requests containing JavaScript payloads. Look for POST requests to plugin endpoints with suspicious data. Use curl to test endpoints for XSS vulnerabilities.
curl -X POST -d "<script>alert('XSS')</script>" http://example.com/plugins/customjs/endpoint.phpdisclosure
Exploit-Status
EPSS
0.07% (22% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2021-47860 is to upgrade the Custom JS plugin to a patched version. Unfortunately, no patched version is currently available. As a temporary workaround, administrators should carefully review all plugin code for suspicious activity and implement strict input validation on any user-supplied data. Consider implementing a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly scan the website for XSS vulnerabilities using automated tools. Disable the Custom JS plugin entirely if it is not essential for website functionality.
Aktualisieren Sie das Plugin GetSimple CMS Custom JS auf eine korrigierte Version. Überprüfen Sie die offizielle Website von GetSimple CMS oder das GitHub-Repository, um die neueste Version und die Aktualisierungsanweisungen zu erhalten. Da keine korrigierte Version angegeben ist, wird empfohlen, den Entwickler für ein Update zu kontaktieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-47860 is a cross-site scripting (XSS) vulnerability in the Custom JS plugin for GetSimple CMS version 0.1, allowing attackers to inject malicious code into administrator browsers.
You are affected if you are using GetSimple CMS with the Custom JS plugin version 0.1. No patched version is currently available.
Upgrade to a patched version of the plugin. As no patch exists, implement workarounds like input validation, WAF rules, and disabling the plugin if possible.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it easily exploitable.
Refer to the GetSimple CMS website and security advisories for updates and information regarding CVE-2021-47860.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.