CVE-2021-32828: Nuxeo vulnerable to Reflected Cross-Site Scripting leading to Remote Code Execution
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.72735%
CWE
Published
1/6/2023
Updated
1/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.nuxeo.ecm.platform:nuxeo-platform-oauth | maven | <= 10.10 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability occurs in the OAuth2 callback handler where user-controlled input (serviceProviderName path parameter) is directly reflected in the HTTP response without sanitization. The advisory explicitly shows this endpoint returns unescaped user input in error messages ("No service provider called: [input]"), and the code review confirms unsafe string concatenation. This XSS vector is then leveraged to execute arbitrary automation API operations through crafted JavaScript payloads.