CVE-2021-47743
Reflected XSS in COMMAX Biometric Access Control Cookies
Publication date: 2025-12-31
Last updated on: 2025-12-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| commax | biometric_access_control_system | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47743 is an unauthenticated reflected cross-site scripting (XSS) vulnerability in COMMAX Biometric Access Control System version 1.0.0. It occurs because the cookie parameters 'CMX_ADMIN_NM' and 'CMX_COMPLEX_NM' do not properly sanitize input before reflecting it back to the user. This allows attackers to inject malicious HTML and JavaScript code into these cookie values, which then execute in the context of a victim's browser session. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary scripts in your browser session when interacting with the affected system. This can lead to compromised user sessions, potentially enabling attackers to steal sensitive information, perform actions on behalf of the user, or manipulate the web application interface. The attack can be performed remotely without authentication by manipulating cookie values. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the web application reflects unsanitized input from the 'CMX_ADMIN_NM' and 'CMX_COMPLEX_NM' cookie parameters. One way to test is to send HTTP requests with these cookies set to malicious JavaScript payloads and observe if the script executes in the browser context. For example, using curl to send a request with a script injection payload in the cookies and then inspecting the response or browser behavior can help detect the vulnerability. Example command: curl -H "Cookie: CMX_ADMIN_NM=<script>alert(1)</script>; CMX_COMPLEX_NM=test" http://target-system/ and then checking if the script executes or is reflected in the response. This confirms the presence of reflected XSS via cookie parameters. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating cookie input on the server side to prevent injection of malicious scripts. Since the vulnerability arises from reflected unsanitized cookie values, applying proper input validation and output encoding for these cookie parameters ('CMX_ADMIN_NM' and 'CMX_COMPLEX_NM') is essential. Additionally, applying web application firewall (WAF) rules to detect and block suspicious script injection attempts in cookies can help. If possible, update or patch the COMMAX Biometric Access Control System to a version where this vulnerability is fixed. In the absence of a vendor patch, restricting access to the affected web interface and educating users about the risk of clicking suspicious links can reduce exploitation risk. [1, 2, 3]