CVE-2021-27695 in openMAINT
Summary
by MITRE • 03/16/2021
Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any "Add" sections, such as Add Card Building & Floor, or others in the Name and Code Parameters.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/05/2026
The vulnerability identified as CVE-2021-27695 represents a critical stored cross-site scripting flaw within the openMAINT maintenance management platform version 2.1 through 3.3-b. This vulnerability resides in the application's input validation mechanisms, specifically affecting the Add functionality sections where users can create new records such as Card Building & Floor entries. The flaw allows remote attackers to inject malicious scripts that persist in the application's database and subsequently execute when other users view the affected records.
The technical implementation of this vulnerability stems from insufficient sanitization of user-supplied input parameters within the Name and Code fields of various Add sections. When users submit data through these interfaces, the application fails to properly validate or escape special characters that could be interpreted as HTML or JavaScript code. This inadequate input handling creates a persistent XSS vector where attacker-controlled payloads are stored in the database and executed in the context of other users' browsers. The vulnerability affects multiple Add sections within the application's interface, making it particularly dangerous as it provides attackers with broad attack surface coverage.
The operational impact of this vulnerability is severe as it enables attackers to execute arbitrary scripts in the browsers of authenticated users who view the maliciously crafted records. This can lead to session hijacking, credential theft, data exfiltration, and potentially full system compromise if users have administrative privileges. The stored nature of the vulnerability means that once an attacker successfully injects malicious code, it will affect all users who access the affected records until the malicious content is removed from the database. Attackers could leverage this vulnerability to establish persistent access to the system, manipulate data integrity, or redirect users to malicious websites.
Mitigation strategies for this vulnerability should include immediate implementation of proper input validation and output encoding mechanisms throughout the application's data handling processes. The system should employ comprehensive sanitization of all user inputs, particularly in fields where HTML content is not expected, and apply context-specific escaping before rendering any user-supplied data. Organizations should implement Content Security Policy headers to limit script execution capabilities and consider implementing web application firewalls to detect and block malicious payloads. Additionally, regular security testing including automated vulnerability scanning and manual penetration testing should be conducted to identify similar input validation weaknesses. This vulnerability aligns with CWE-79 which describes Cross-site Scripting flaws, and maps to ATT&CK technique T1566 related to Phishing through Social Engineering, as attackers could use this vulnerability to establish initial access or escalate privileges within the system.