Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    10 vulnerabilities by if-me

    CVE-2021-25992 (GCVE-0-2021-25992)

    Vulnerability from cvelistv5 – Published: 2022-02-10 09:55 – Updated: 2024-09-16 16:53
    VLAI
    Title
    ifme - Insufficient Session Expiration
    Summary
    In Ifme, versions 1.0.0 to v.7.33.2 don’t properly invalidate a user’s session even after the user initiated logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks.
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    References
    Impacted products
    Vendor Product Version
    ifmeorg ifme Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ v7.33.2 (custom)
    Create a notification for this product.
    Date Public
    2022-02-08 00:00
    Credits
    WhiteSource Vulnerability Research Team (WVR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:19:19.336Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ifmeorg/ifme/commit/014f6d3526a594109d4d6607c2f30b1865e37611"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25992"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ifme",
              "vendor": "ifmeorg",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "v7.33.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "WhiteSource Vulnerability Research Team (WVR)"
            }
          ],
          "datePublic": "2022-02-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Ifme, versions 1.0.0 to v.7.33.2 don\u2019t properly invalidate a user\u2019s session even after the user initiated logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613 Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-10T09:55:09.000Z",
            "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
            "shortName": "Mend"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ifmeorg/ifme/commit/014f6d3526a594109d4d6607c2f30b1865e37611"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25992"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update version to v.7.33.3"
            }
          ],
          "source": {
            "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
            "discovery": "UNKNOWN"
          },
          "title": "ifme - Insufficient Session Expiration",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
              "DATE_PUBLIC": "2022-02-08T09:40:00.000Z",
              "ID": "CVE-2021-25992",
              "STATE": "PUBLIC",
              "TITLE": "ifme - Insufficient Session Expiration"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ifme",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v7.33.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ifmeorg"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "WhiteSource Vulnerability Research Team (WVR)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Ifme, versions 1.0.0 to v.7.33.2 don\u2019t properly invalidate a user\u2019s session even after the user initiated logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-613 Insufficient Session Expiration"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/ifmeorg/ifme/commit/014f6d3526a594109d4d6607c2f30b1865e37611",
                  "refsource": "MISC",
                  "url": "https://github.com/ifmeorg/ifme/commit/014f6d3526a594109d4d6607c2f30b1865e37611"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25992",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25992"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update version to v.7.33.3"
              }
            ],
            "source": {
              "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "assignerShortName": "Mend",
        "cveId": "CVE-2021-25992",
        "datePublished": "2022-02-10T09:55:09.803Z",
        "dateReserved": "2021-01-22T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:53:23.213Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25991 (GCVE-0-2021-25991)

    Vulnerability from cvelistv5 – Published: 2021-12-29 09:10 – Updated: 2025-04-30 15:43
    VLAI
    Title
    ifme - Improper Access Control leads to admin deactivation
    Summary
    In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    ifmeorg ifme Affected: v5.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ v7.32 (custom)
    Create a notification for this product.
    Date Public
    2021-12-27 00:00
    Credits
    WhiteSource Vulnerability Research Team (WVR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:19:19.411Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ifmeorg/ifme/commit/d1f570c458d41667df801fc9c40a18b181a2d923"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25991"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-25991",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:27:29.587587Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:43:44.984Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ifme",
              "vendor": "ifmeorg",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "v5.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "v7.32",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "WhiteSource Vulnerability Research Team (WVR)"
            }
          ],
          "datePublic": "2021-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-29T18:24:22.000Z",
            "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
            "shortName": "Mend"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ifmeorg/ifme/commit/d1f570c458d41667df801fc9c40a18b181a2d923"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25991"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update version to v7.32.1 or later"
            }
          ],
          "source": {
            "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
            "discovery": "UNKNOWN"
          },
          "title": "ifme - Improper Access Control leads to admin deactivation",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
              "DATE_PUBLIC": "2021-12-27T08:22:00.000Z",
              "ID": "CVE-2021-25991",
              "STATE": "PUBLIC",
              "TITLE": "ifme - Improper Access Control leads to admin deactivation"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ifme",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "v5.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v7.32"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ifmeorg"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "WhiteSource Vulnerability Research Team (WVR)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284 Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/ifmeorg/ifme/commit/d1f570c458d41667df801fc9c40a18b181a2d923",
                  "refsource": "MISC",
                  "url": "https://github.com/ifmeorg/ifme/commit/d1f570c458d41667df801fc9c40a18b181a2d923"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25991",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25991"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update version to v7.32.1 or later"
              }
            ],
            "source": {
              "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "assignerShortName": "Mend",
        "cveId": "CVE-2021-25991",
        "datePublished": "2021-12-29T09:10:19.040Z",
        "dateReserved": "2021-01-22T00:00:00.000Z",
        "dateUpdated": "2025-04-30T15:43:44.984Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25990 (GCVE-0-2021-25990)

    Vulnerability from cvelistv5 – Published: 2021-12-29 09:10 – Updated: 2025-04-30 15:43
    VLAI
    Title
    ifme - Stored Cross-Site Scripting (XSS) in Contacts section
    Summary
    In “ifme”, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    ifmeorg ifme Affected: v7.22.0 , < unspecified (custom)
    Affected: unspecified , ≤ v7.31.4 (custom)
    Create a notification for this product.
    Date Public
    2021-12-27 00:00
    Credits
    WhiteSource Vulnerability Research Team (WVR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:19:19.260Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-25990",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:27:31.049019Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:43:55.017Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ifme",
              "vendor": "ifmeorg",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "v7.22.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "v7.31.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "WhiteSource Vulnerability Research Team (WVR)"
            }
          ],
          "datePublic": "2021-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In \u201cifme\u201d, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-29T09:10:17.000Z",
            "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
            "shortName": "Mend"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update version to v7.32 or later"
            }
          ],
          "source": {
            "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
            "discovery": "UNKNOWN"
          },
          "title": "ifme - Stored Cross-Site Scripting (XSS) in Contacts section",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
              "DATE_PUBLIC": "2021-12-27T08:22:00.000Z",
              "ID": "CVE-2021-25990",
              "STATE": "PUBLIC",
              "TITLE": "ifme - Stored Cross-Site Scripting (XSS) in Contacts section"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ifme",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "v7.22.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v7.31.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ifmeorg"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "WhiteSource Vulnerability Research Team (WVR)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In \u201cifme\u201d, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc",
                  "refsource": "MISC",
                  "url": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update version to v7.32 or later"
              }
            ],
            "source": {
              "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "assignerShortName": "Mend",
        "cveId": "CVE-2021-25990",
        "datePublished": "2021-12-29T09:10:17.689Z",
        "dateReserved": "2021-01-22T00:00:00.000Z",
        "dateUpdated": "2025-04-30T15:43:55.017Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25989 (GCVE-0-2021-25989)

    Vulnerability from cvelistv5 – Published: 2021-12-29 09:10 – Updated: 2025-04-30 15:44
    VLAI
    Title
    ifme - Stored Cross-Site Scripting (XSS) in Groups section
    Summary
    In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability in the markdown editor. It can be exploited by making a victim a Leader of a group which triggers the payload for them.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    ifmeorg ifme Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ v7.31.4 (custom)
    Create a notification for this product.
    Date Public
    2021-12-27 00:00
    Credits
    WhiteSource Vulnerability Research Team (WVR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:19:19.395Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ifmeorg/ifme/commit/df4986f0721a72779403d21d36c025fe95edffad"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25989"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-25989",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:27:32.372638Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:44:01.727Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ifme",
              "vendor": "ifmeorg",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "v7.31.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "WhiteSource Vulnerability Research Team (WVR)"
            }
          ],
          "datePublic": "2021-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability in the markdown editor. It can be exploited by making a victim a Leader of a group which triggers the payload for them."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-29T09:10:16.000Z",
            "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
            "shortName": "Mend"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ifmeorg/ifme/commit/df4986f0721a72779403d21d36c025fe95edffad"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25989"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update version to v7.32 or later"
            }
          ],
          "source": {
            "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
            "discovery": "UNKNOWN"
          },
          "title": "ifme - Stored Cross-Site Scripting (XSS) in Groups section",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
              "DATE_PUBLIC": "2021-12-27T08:22:00.000Z",
              "ID": "CVE-2021-25989",
              "STATE": "PUBLIC",
              "TITLE": "ifme - Stored Cross-Site Scripting (XSS) in Groups section"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ifme",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v7.31.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ifmeorg"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "WhiteSource Vulnerability Research Team (WVR)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability in the markdown editor. It can be exploited by making a victim a Leader of a group which triggers the payload for them."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/ifmeorg/ifme/commit/df4986f0721a72779403d21d36c025fe95edffad",
                  "refsource": "MISC",
                  "url": "https://github.com/ifmeorg/ifme/commit/df4986f0721a72779403d21d36c025fe95edffad"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25989",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25989"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update version to v7.32 or later"
              }
            ],
            "source": {
              "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "assignerShortName": "Mend",
        "cveId": "CVE-2021-25989",
        "datePublished": "2021-12-29T09:10:16.335Z",
        "dateReserved": "2021-01-22T00:00:00.000Z",
        "dateUpdated": "2025-04-30T15:44:01.727Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25988 (GCVE-0-2021-25988)

    Vulnerability from cvelistv5 – Published: 2021-12-29 09:10 – Updated: 2025-04-30 15:44
    VLAI
    Title
    ifme - Stored Cross-Site Scripting (XSS) in Notifications section
    Summary
    In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    ifmeorg ifme Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ v7.31.4 (custom)
    Create a notification for this product.
    Date Public
    2021-12-26 00:00
    Credits
    WhiteSource Vulnerability Research Team (WVR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:19:19.487Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-25988",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:27:33.691663Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:44:07.124Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ifme",
              "vendor": "ifmeorg",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "v7.31.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "WhiteSource Vulnerability Research Team (WVR)"
            }
          ],
          "datePublic": "2021-12-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-29T09:10:14.000Z",
            "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
            "shortName": "Mend"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update version to v7.32 or later"
            }
          ],
          "source": {
            "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
            "discovery": "UNKNOWN"
          },
          "title": "ifme - Stored Cross-Site Scripting (XSS) in Notifications section",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
              "DATE_PUBLIC": "2021-12-26T16:07:00.000Z",
              "ID": "CVE-2021-25988",
              "STATE": "PUBLIC",
              "TITLE": "ifme - Stored Cross-Site Scripting (XSS) in Notifications section"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ifme",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v7.31.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ifmeorg"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "WhiteSource Vulnerability Research Team (WVR)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c",
                  "refsource": "MISC",
                  "url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update version to v7.32 or later"
              }
            ],
            "source": {
              "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "assignerShortName": "Mend",
        "cveId": "CVE-2021-25988",
        "datePublished": "2021-12-29T09:10:14.710Z",
        "dateReserved": "2021-01-22T00:00:00.000Z",
        "dateUpdated": "2025-04-30T15:44:07.124Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25992 (GCVE-0-2021-25992)

    Vulnerability from nvd – Published: 2022-02-10 09:55 – Updated: 2024-09-16 16:53
    VLAI
    Title
    ifme - Insufficient Session Expiration
    Summary
    In Ifme, versions 1.0.0 to v.7.33.2 don’t properly invalidate a user’s session even after the user initiated logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks.
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    References
    Impacted products
    Vendor Product Version
    ifmeorg ifme Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ v7.33.2 (custom)
    Create a notification for this product.
    Date Public
    2022-02-08 00:00
    Credits
    WhiteSource Vulnerability Research Team (WVR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:19:19.336Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ifmeorg/ifme/commit/014f6d3526a594109d4d6607c2f30b1865e37611"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25992"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ifme",
              "vendor": "ifmeorg",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "v7.33.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "WhiteSource Vulnerability Research Team (WVR)"
            }
          ],
          "datePublic": "2022-02-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Ifme, versions 1.0.0 to v.7.33.2 don\u2019t properly invalidate a user\u2019s session even after the user initiated logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613 Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-10T09:55:09.000Z",
            "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
            "shortName": "Mend"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ifmeorg/ifme/commit/014f6d3526a594109d4d6607c2f30b1865e37611"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25992"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update version to v.7.33.3"
            }
          ],
          "source": {
            "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
            "discovery": "UNKNOWN"
          },
          "title": "ifme - Insufficient Session Expiration",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
              "DATE_PUBLIC": "2022-02-08T09:40:00.000Z",
              "ID": "CVE-2021-25992",
              "STATE": "PUBLIC",
              "TITLE": "ifme - Insufficient Session Expiration"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ifme",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v7.33.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ifmeorg"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "WhiteSource Vulnerability Research Team (WVR)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Ifme, versions 1.0.0 to v.7.33.2 don\u2019t properly invalidate a user\u2019s session even after the user initiated logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-613 Insufficient Session Expiration"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/ifmeorg/ifme/commit/014f6d3526a594109d4d6607c2f30b1865e37611",
                  "refsource": "MISC",
                  "url": "https://github.com/ifmeorg/ifme/commit/014f6d3526a594109d4d6607c2f30b1865e37611"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25992",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25992"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update version to v.7.33.3"
              }
            ],
            "source": {
              "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "assignerShortName": "Mend",
        "cveId": "CVE-2021-25992",
        "datePublished": "2022-02-10T09:55:09.803Z",
        "dateReserved": "2021-01-22T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:53:23.213Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25991 (GCVE-0-2021-25991)

    Vulnerability from nvd – Published: 2021-12-29 09:10 – Updated: 2025-04-30 15:43
    VLAI
    Title
    ifme - Improper Access Control leads to admin deactivation
    Summary
    In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    ifmeorg ifme Affected: v5.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ v7.32 (custom)
    Create a notification for this product.
    Date Public
    2021-12-27 00:00
    Credits
    WhiteSource Vulnerability Research Team (WVR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:19:19.411Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ifmeorg/ifme/commit/d1f570c458d41667df801fc9c40a18b181a2d923"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25991"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-25991",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:27:29.587587Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:43:44.984Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ifme",
              "vendor": "ifmeorg",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "v5.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "v7.32",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "WhiteSource Vulnerability Research Team (WVR)"
            }
          ],
          "datePublic": "2021-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-29T18:24:22.000Z",
            "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
            "shortName": "Mend"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ifmeorg/ifme/commit/d1f570c458d41667df801fc9c40a18b181a2d923"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25991"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update version to v7.32.1 or later"
            }
          ],
          "source": {
            "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
            "discovery": "UNKNOWN"
          },
          "title": "ifme - Improper Access Control leads to admin deactivation",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
              "DATE_PUBLIC": "2021-12-27T08:22:00.000Z",
              "ID": "CVE-2021-25991",
              "STATE": "PUBLIC",
              "TITLE": "ifme - Improper Access Control leads to admin deactivation"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ifme",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "v5.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v7.32"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ifmeorg"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "WhiteSource Vulnerability Research Team (WVR)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284 Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/ifmeorg/ifme/commit/d1f570c458d41667df801fc9c40a18b181a2d923",
                  "refsource": "MISC",
                  "url": "https://github.com/ifmeorg/ifme/commit/d1f570c458d41667df801fc9c40a18b181a2d923"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25991",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25991"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update version to v7.32.1 or later"
              }
            ],
            "source": {
              "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "assignerShortName": "Mend",
        "cveId": "CVE-2021-25991",
        "datePublished": "2021-12-29T09:10:19.040Z",
        "dateReserved": "2021-01-22T00:00:00.000Z",
        "dateUpdated": "2025-04-30T15:43:44.984Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25990 (GCVE-0-2021-25990)

    Vulnerability from nvd – Published: 2021-12-29 09:10 – Updated: 2025-04-30 15:43
    VLAI
    Title
    ifme - Stored Cross-Site Scripting (XSS) in Contacts section
    Summary
    In “ifme”, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    ifmeorg ifme Affected: v7.22.0 , < unspecified (custom)
    Affected: unspecified , ≤ v7.31.4 (custom)
    Create a notification for this product.
    Date Public
    2021-12-27 00:00
    Credits
    WhiteSource Vulnerability Research Team (WVR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:19:19.260Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-25990",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:27:31.049019Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:43:55.017Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ifme",
              "vendor": "ifmeorg",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "v7.22.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "v7.31.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "WhiteSource Vulnerability Research Team (WVR)"
            }
          ],
          "datePublic": "2021-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In \u201cifme\u201d, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-29T09:10:17.000Z",
            "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
            "shortName": "Mend"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update version to v7.32 or later"
            }
          ],
          "source": {
            "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
            "discovery": "UNKNOWN"
          },
          "title": "ifme - Stored Cross-Site Scripting (XSS) in Contacts section",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
              "DATE_PUBLIC": "2021-12-27T08:22:00.000Z",
              "ID": "CVE-2021-25990",
              "STATE": "PUBLIC",
              "TITLE": "ifme - Stored Cross-Site Scripting (XSS) in Contacts section"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ifme",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "v7.22.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v7.31.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ifmeorg"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "WhiteSource Vulnerability Research Team (WVR)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In \u201cifme\u201d, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc",
                  "refsource": "MISC",
                  "url": "https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update version to v7.32 or later"
              }
            ],
            "source": {
              "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "assignerShortName": "Mend",
        "cveId": "CVE-2021-25990",
        "datePublished": "2021-12-29T09:10:17.689Z",
        "dateReserved": "2021-01-22T00:00:00.000Z",
        "dateUpdated": "2025-04-30T15:43:55.017Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25989 (GCVE-0-2021-25989)

    Vulnerability from nvd – Published: 2021-12-29 09:10 – Updated: 2025-04-30 15:44
    VLAI
    Title
    ifme - Stored Cross-Site Scripting (XSS) in Groups section
    Summary
    In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability in the markdown editor. It can be exploited by making a victim a Leader of a group which triggers the payload for them.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    ifmeorg ifme Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ v7.31.4 (custom)
    Create a notification for this product.
    Date Public
    2021-12-27 00:00
    Credits
    WhiteSource Vulnerability Research Team (WVR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:19:19.395Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ifmeorg/ifme/commit/df4986f0721a72779403d21d36c025fe95edffad"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25989"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-25989",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:27:32.372638Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:44:01.727Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ifme",
              "vendor": "ifmeorg",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "v7.31.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "WhiteSource Vulnerability Research Team (WVR)"
            }
          ],
          "datePublic": "2021-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability in the markdown editor. It can be exploited by making a victim a Leader of a group which triggers the payload for them."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-29T09:10:16.000Z",
            "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
            "shortName": "Mend"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ifmeorg/ifme/commit/df4986f0721a72779403d21d36c025fe95edffad"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25989"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update version to v7.32 or later"
            }
          ],
          "source": {
            "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
            "discovery": "UNKNOWN"
          },
          "title": "ifme - Stored Cross-Site Scripting (XSS) in Groups section",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
              "DATE_PUBLIC": "2021-12-27T08:22:00.000Z",
              "ID": "CVE-2021-25989",
              "STATE": "PUBLIC",
              "TITLE": "ifme - Stored Cross-Site Scripting (XSS) in Groups section"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ifme",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v7.31.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ifmeorg"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "WhiteSource Vulnerability Research Team (WVR)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability in the markdown editor. It can be exploited by making a victim a Leader of a group which triggers the payload for them."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/ifmeorg/ifme/commit/df4986f0721a72779403d21d36c025fe95edffad",
                  "refsource": "MISC",
                  "url": "https://github.com/ifmeorg/ifme/commit/df4986f0721a72779403d21d36c025fe95edffad"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25989",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25989"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update version to v7.32 or later"
              }
            ],
            "source": {
              "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "assignerShortName": "Mend",
        "cveId": "CVE-2021-25989",
        "datePublished": "2021-12-29T09:10:16.335Z",
        "dateReserved": "2021-01-22T00:00:00.000Z",
        "dateUpdated": "2025-04-30T15:44:01.727Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25988 (GCVE-0-2021-25988)

    Vulnerability from nvd – Published: 2021-12-29 09:10 – Updated: 2025-04-30 15:44
    VLAI
    Title
    ifme - Stored Cross-Site Scripting (XSS) in Notifications section
    Summary
    In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    ifmeorg ifme Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ v7.31.4 (custom)
    Create a notification for this product.
    Date Public
    2021-12-26 00:00
    Credits
    WhiteSource Vulnerability Research Team (WVR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:19:19.487Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-25988",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:27:33.691663Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:44:07.124Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ifme",
              "vendor": "ifmeorg",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "v7.31.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "WhiteSource Vulnerability Research Team (WVR)"
            }
          ],
          "datePublic": "2021-12-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-29T09:10:14.000Z",
            "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
            "shortName": "Mend"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update version to v7.32 or later"
            }
          ],
          "source": {
            "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
            "discovery": "UNKNOWN"
          },
          "title": "ifme - Stored Cross-Site Scripting (XSS) in Notifications section",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
              "DATE_PUBLIC": "2021-12-26T16:07:00.000Z",
              "ID": "CVE-2021-25988",
              "STATE": "PUBLIC",
              "TITLE": "ifme - Stored Cross-Site Scripting (XSS) in Notifications section"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ifme",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v7.31.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ifmeorg"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "WhiteSource Vulnerability Research Team (WVR)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In \u201cifme\u201d, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c",
                  "refsource": "MISC",
                  "url": "https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update version to v7.32 or later"
              }
            ],
            "source": {
              "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "assignerShortName": "Mend",
        "cveId": "CVE-2021-25988",
        "datePublished": "2021-12-29T09:10:14.710Z",
        "dateReserved": "2021-01-22T00:00:00.000Z",
        "dateUpdated": "2025-04-30T15:44:07.124Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }