CVE-2021-47925
Stored XSS in CMDBuild 3.3.2 via Card and File Upload
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cmdbuild | cmdbuild | 3.3.2 |
| cmdbuild | cmdbuild | to 3.3.2 (exc) |
| cmdbuild | cmdbuild | 4.2.0 |
| cmdbuild | cmdbuild | From 4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not explicitly mention the impact of CVE-2021-47925 on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2021-47925 is a stored cross-site scripting (XSS) vulnerability found in CMDBuild version 3.3.2 and earlier. It allows authenticated attackers to inject malicious web scripts or HTML by submitting crafted input during card creation or file upload processes.
Specifically, attackers can exploit parameters in the Employee card creation or upload specially crafted SVG files in the classes endpoint. These injected scripts execute when other users view the affected records or preview the uploaded attachments, potentially compromising their session or data.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary scripts in the context of other users who view the compromised records or attachments. This can lead to unauthorized actions such as stealing session tokens, defacing web content, or performing actions on behalf of the victim user.
Since the vulnerability requires authentication, it means an attacker must have some level of access to the system, but once exploited, it can affect other users with access to the affected data, potentially leading to broader compromise within the application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves stored cross-site scripting (XSS) in CMDBuild 3.3.2, where authenticated attackers can inject malicious scripts via crafted input in card creation and file upload endpoints. Detection involves checking for unusual or malicious script content in Employee card parameters or SVG file attachments uploaded through the classes endpoint.
Since the vulnerability triggers when other users view affected records or preview attachments, monitoring HTTP requests and responses for injected scripts in these areas can help detect exploitation attempts.
Specific commands are not provided in the resources, but general approaches include:
- Using web application security scanners to test for stored XSS vulnerabilities on the card creation and file upload endpoints.
- Manually inspecting HTTP requests and responses involving Employee card creation and SVG file uploads for suspicious script tags or payloads.
- Reviewing application logs for unusual input patterns or errors related to these endpoints.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable CMDBuild 3.3.2 system to trusted users only, as the vulnerability requires authenticated access.
Avoid uploading or creating new Employee cards or SVG file attachments until the vulnerability is addressed.
Upgrade CMDBuild to the latest version (4.2.0 or later) which includes bug fixes and enhancements that likely address this vulnerability.
Implement input validation and sanitization on card creation and file upload endpoints to prevent injection of malicious scripts.
Monitor user activity and audit logs for suspicious behavior related to card creation and file uploads.