Escanear grátis
LOWCVE-2021-3830CVSS 3.8

Cross-site Scripting (XSS) - Stored in btcpayserver/btcpayserver

traduzindo…

Plataforma

other

Componente

btcpayserver/btcpayserver

Corrigido em

1.2.3

AI Confidence: highNVDEPSS 0.2%Revisado: mai. de 2026
Ver no NVD
Salvar
Traduzindo para o seu idioma…

CVE-2021-3830 describes a Cross-Site Scripting (XSS) vulnerability affecting btcpayserver versions 1.2.3 and earlier. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to data theft or session hijacking. The vulnerability was published on September 26, 2021, and a fix is available in version 1.2.3.

Impacto e Cenários de Ataquetraduzindo…

The XSS vulnerability in btcpayserver allows an attacker to inject arbitrary JavaScript code into web pages served by the application. This code can then be executed in the context of a victim's browser, granting the attacker access to sensitive information such as cookies, session tokens, and other user data. An attacker could also use this vulnerability to redirect users to malicious websites, deface the application, or perform other actions on behalf of the victim. The impact is particularly concerning for btcpayserver deployments handling cryptocurrency transactions, as compromised user accounts could lead to financial losses.

Contexto de Exploraçãotraduzindo…

CVE-2021-3830 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low probability of active exploitation at this time. The vulnerability was disclosed publicly on September 26, 2021, alongside the CVE assignment.

Quem Está em Riscotraduzindo…

Organizations and individuals running btcpayserver versions 1.2.3 or earlier, particularly those handling sensitive financial data or operating in environments with limited security controls, are at risk. Shared hosting environments where multiple users share the same btcpayserver instance are also particularly vulnerable.

Passos de Detecçãotraduzindo…

• generic web: Use curl/wget to test for reflected XSS payloads in input fields.

curl 'http://btcpayserver/search?q=<script>alert(1)</script>'

• generic web: Examine access/error logs for suspicious requests containing JavaScript code. • generic web: Check response headers for Content-Security-Policy (CSP) directives. Lack of CSP increases XSS risk.

Linha do Tempo do Ataque

  1. Disclosure

    disclosure

Inteligência de Ameaças

Status do Exploit

Prova de ConceitoDesconhecido
CISA KEVNO
Exposição na InternetAlta

EPSS

0.23% (percentil 46%)

Vetor CVSS

INTELIGÊNCIA DE AMEAÇAS· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N3.8LOWAttack VectorNetworkComo o atacante alcança o alvoAttack ComplexityLowCondições necessárias para explorarPrivileges RequiredHighNível de autenticação necessárioUser InteractionNoneSe a vítima precisa tomar uma açãoScopeUnchangedImpacto além do componente afetadoConfidentialityLowRisco de exposição de dados sensíveisIntegrityLowRisco de modificação não autorizada de dadosAvailabilityNoneRisco de interrupção de serviçonextguardhq.com · Pontuação Base CVSS v3.1
O que significam essas métricas?
Attack Vector
Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
Attack Complexity
Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
Privileges Required
Alto — conta de administrador ou privilegiada necessária.
User Interaction
Nenhuma — ataque automático e silencioso. A vítima não faz nada.
Scope
Inalterado — impacto limitado ao componente vulnerável.
Confidentiality
Baixo — acesso parcial ou indireto a alguns dados.
Integrity
Baixo — o atacante pode modificar alguns dados com alcance limitado.
Availability
Nenhum — sem impacto na disponibilidade.

Software Afetado

Componentebtcpayserver/btcpayserver
Fornecedorbtcpayserver
Faixa afetadaCorrigido em
unspecified – 1.2.31.2.3

Classificação de Fraqueza (CWE)

CWE-79

Linha do tempo

  1. Reservado
  2. Publicada
  3. Modificada
  4. EPSS atualizado

Mitigação e Soluções Alternativastraduzindo…

The primary mitigation for CVE-2021-3830 is to upgrade btcpayserver to version 1.2.3 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on user-supplied data to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update your btcpayserver configuration to ensure it adheres to security best practices.

Como corrigirtraduzindo…

Actualice btcpayserver a la versión 1.2.3 o superior. Esta versión contiene una corrección para la vulnerabilidad de Cross-site Scripting (XSS) almacenado. La actualización mitigará el riesgo de que atacantes inyecten scripts maliciosos en su servidor.

Boletim de Segurança CVE

Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.

Perguntas frequentestraduzindo…

What is CVE-2021-3830 — Cross-Site Scripting in btcpayserver?

CVE-2021-3830 is a Cross-Site Scripting (XSS) vulnerability in btcpayserver versions up to 1.2.3, allowing attackers to inject malicious scripts.

Am I affected by CVE-2021-3830 in btcpayserver?

You are affected if you are running btcpayserver version 1.2.3 or earlier. Upgrade to 1.2.3 to mitigate the risk.

How do I fix CVE-2021-3830 in btcpayserver?

Upgrade btcpayserver to version 1.2.3 or later. Implement input validation and output encoding as a temporary workaround.

Is CVE-2021-3830 being actively exploited?

There is no widespread evidence of active exploitation at this time, but vigilance is still advised.

Where can I find the official btcpayserver advisory for CVE-2021-3830?

Refer to the btcpayserver project's official release notes and security advisories on their GitHub repository.

Seu projeto está afetado?

Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.

Escanear grátisBuscar CVEs