Resource.aspx Reflected Cross-Site Scripting Vulnerability

(CVE-2021-35222)

Security Advisory Summary

Resource.aspx Reflected Cross-Site Scripting Vulnerability. This vulnerability allows attackers to impersonate users and perform arbitrary actions on their behalf.

Affected Products

Orion Platform 2020.2.5 and earlier

Fixed Software Release

Orion Platform 2020.2.6 HF1

Acknowledgments

Alex Birnberg of Zymo Security and FireEye

Advisory Details

Severity

8.0 High

Advisory ID

CVE-2021-35222

First Published

07/15/2021

Last Updated

08/24/2021

Fixed Version

Orion Platform 2020.2.6 HF1

Workarounds

Workaround 1

CVSS Score

CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S: C/C:H/I:L/A:L