Multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features in an additional paid add-on of Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
References
Link | Resource |
---|---|
https://www.digital.security/advisories/cert-ds_advisory_cve-2020-27851.txt | Third Party Advisory |
Configurations
Information
Published : 2021-01-19 20:15
Updated : 2021-01-21 18:13
NVD link : CVE-2020-27851
Mitre link : CVE-2020-27851
JSON object : View
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Products Affected
rocketgenius
- gravityforms