CVE-2021-47743
Unknown Unknown - Not Provided
Reflected XSS in COMMAX Biometric Access Control Cookies

Publication date: 2025-12-31

Last updated on: 2025-12-31

Assigner: VulnCheck

Description
COMMAX Biometric Access Control System 1.0.0 contains an unauthenticated reflected cross-site scripting vulnerability in cookie parameters 'CMX_ADMIN_NM' and 'CMX_COMPLEX_NM'. Attackers can inject malicious HTML and JavaScript code into these cookie values to execute arbitrary scripts in a victim's browser session.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-31
Last Modified
2025-12-31
Generated
2026-06-16
AI Q&A
2025-12-31
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47743
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
commax biometric_access_control_system 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47743 is an unauthenticated reflected cross-site scripting (XSS) vulnerability in COMMAX Biometric Access Control System version 1.0.0. It occurs because the cookie parameters 'CMX_ADMIN_NM' and 'CMX_COMPLEX_NM' do not properly sanitize input before reflecting it back to the user. This allows attackers to inject malicious HTML and JavaScript code into these cookie values, which then execute in the context of a victim's browser session. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary scripts in your browser session when interacting with the affected system. This can lead to compromised user sessions, potentially enabling attackers to steal sensitive information, perform actions on behalf of the user, or manipulate the web application interface. The attack can be performed remotely without authentication by manipulating cookie values. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by checking if the web application reflects unsanitized input from the 'CMX_ADMIN_NM' and 'CMX_COMPLEX_NM' cookie parameters. One way to test is to send HTTP requests with these cookies set to malicious JavaScript payloads and observe if the script executes in the browser context. For example, using curl to send a request with a script injection payload in the cookies and then inspecting the response or browser behavior can help detect the vulnerability. Example command: curl -H "Cookie: CMX_ADMIN_NM=<script>alert(1)</script>; CMX_COMPLEX_NM=test" http://target-system/ and then checking if the script executes or is reflected in the response. This confirms the presence of reflected XSS via cookie parameters. [1, 3]

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating cookie input on the server side to prevent injection of malicious scripts. Since the vulnerability arises from reflected unsanitized cookie values, applying proper input validation and output encoding for these cookie parameters ('CMX_ADMIN_NM' and 'CMX_COMPLEX_NM') is essential. Additionally, applying web application firewall (WAF) rules to detect and block suspicious script injection attempts in cookies can help. If possible, update or patch the COMMAX Biometric Access Control System to a version where this vulnerability is fixed. In the absence of a vendor patch, restricting access to the affected web interface and educating users about the risk of clicking suspicious links can reduce exploitation risk. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47743. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart