CVE-2021-21319

Several stored XSS

Description

Galette is a membership management web application geared towards non profit organizations. In versions prior to 0.9.5, malicious javascript code can be stored to be displayed later on self subscription page. The self subscription feature can be disabled as a workaround (this is the default state). Malicious javascript code can be executed (not stored) on login and retrieve password pages. This issue is patched in version 0.9.5.

Category

6.8
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.88% Top 30%
Vendor Advisory galette.eu
Affected: galette galette
Published at:
Updated at:

References

Link Tags
https://github.com/galette/galette/security/advisories/GHSA-vjc9-mj44-x59q third party advisory
https://github.com/galette/galette/commit/514418da973ae5b84bf97f94bd288a41e8e3f0a6 third party advisory patch
https://github.com/galette/galette/commit/8f3bdd9f7d0708466e011253064a867ca2b271a5 third party advisory patch
https://github.com/galette/galette/commit/f54b2570615d38d0302e937079233e52c2d80995 third party advisory patch
https://bugs.galette.eu/issues/1535 permissions required vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-21319?
CVE-2021-21319 has been scored as a medium severity vulnerability.
How to fix CVE-2021-21319?
To fix CVE-2021-21319, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-21319 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-21319 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-21319?
CVE-2021-21319 affects galette galette.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.