4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-3271

GHSA ID

GHSA-9652-78hp-w58c

EPSS Score

0.52949%

CWE

CWE-79

Published

3/29/2021

Updated

2/1/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-3271

CVE-2021-3271: Stored cross-site scripting in PressBooks

PressBooks 5.17.3 contains a cross-site scripting (XSS). Stored XSS can be submitted via the Book Info's Long Description Body, and all actions to open or preview the books page will result in the triggering the stored XSS.

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-3271

GHSA ID

GHSA-9652-78hp-w58c

EPSS Score

0.52949%

CWE

CWE-79

Published

3/29/2021

Updated

2/1/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pressbooks/pressbooks	composer	< 5.18.0	5.18.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from insufficient input sanitization in book metadata handling. The commit diff shows sanitize_string() was added as a callback for several fields including pb_about_unlimited (Long Description). Prior to 5.18.0, these fields lacked proper HTML filtering. The proof-of-concept demonstrates that raw HTML/JS in Long Description was stored and executed, indicating missing sanitization in the save workflow. The vulnerable functions are those responsible for processing and storing user input in book metadata without adequate XSS protection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pr*ss*ooks *.**.* *ont*ins * *ross-sit* s*riptin* (XSS). Stor** XSS **n ** su*mitt** vi* t** *ook In*o's Lon* **s*ription *o*y, *n* *ll **tions to op*n or pr*vi*w t** *ooks p*** will r*sult in t** tri***rin* t** stor** XSS.

Reasoning

T** vuln*r**ility st*mm** *rom insu**i*i*nt input s*nitiz*tion in *ook m*t***t* **n*lin*. T** *ommit *i** s*ows s*nitiz*_strin*() w*s ***** *s * **ll***k *or s*v*r*l *i*l*s in*lu*in* p*_**out_unlimit** (Lon* **s*ription). Prior to *.**.*, t**s* *i*l*

4.8

Basic Information

Concerned about an active attack path?

CVE-2021-3271: Stored cross-site scripting in PressBooks

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI