CVE-2021-27330

moderate-risk
Published 2021-02-25

Triconsole Datepicker Calendar <3.77 is affected by cross-site scripting (XSS) in calendar_form.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents.

Do I need to act?

!
22.4% chance of exploitation in next 30 days
EPSS score — higher than 78% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Triconsole

References (8)

Exploit http://packetstormsecurity.com/files/161570/Triconsole-3.75-Cross-Site-Scripting...
Product http://www.triconsole.com/
Product http://www.triconsole.com/php/calendar_datepicker.php
Exploit https://www.exploit-db.com/exploits/49597
Exploit http://packetstormsecurity.com/files/161570/Triconsole-3.75-Cross-Site-Scripting...
Product http://www.triconsole.com/
Product http://www.triconsole.com/php/calendar_datepicker.php
Exploit https://www.exploit-db.com/exploits/49597
42
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 14/34 · Moderate
Exposure 5/34 · Minimal