CVE-2021-41467:
Cross-site scripting in application/controllers/dropbox.php in JustWriting
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.9408%
CWE
Published
10/4/2021
Updated
2/1/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
hjue/justwriting | composer | <= 1.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from line 36 of dropbox.php where the challenge parameter is directly echoed without sanitization. This matches the classic reflected XSS pattern where user-controlled input (URL parameter) is reflected in output without proper encoding. The GitHub issue #106 explicitly shows the vulnerable code snippet: echo $_GET['challenge']; exit;
, confirming improper neutralization of web output.