CVE-2021-29625

Public Exploit

XSS in doc_link

Description

Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).

References

Link	Tags
https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc	third party advisory patch
https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7	third party advisory patch
https://sourceforge.net/p/adminer/bugs-and-features/797/	product third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2021-29625?: CVE-2021-29625 has been scored as a high severity vulnerability.
How to fix CVE-2021-29625?: To fix CVE-2021-29625, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-29625 being actively exploited in the wild?: It is possible that CVE-2021-29625 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~72% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-29625?: CVE-2021-29625 affects vrana adminer.

Description

Category

CWE-79 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References

Frequently Asked Questions