CVE-2021-4293 in youngcart5
Summary
by MITRE • 12/28/2022
** UNSUPPPORTED WHEN ASSIGNED **** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic has been found in gnuboard youngcart5 up to 5.4.5.1. Affected is an unknown function of the file adm/menu_list_update.php. The manipulation of the argument me_link leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 5.4.5.2 is able to address this issue. The name of the patch is 70daa537adfa47b87af12d85f1e698fff01785ff. It is recommended to upgrade the affected component. VDB-216954 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/28/2025
This vulnerability resides within the gnuboard youngcart5 content management system where a cross-site scripting flaw exists in the adm/menu_list_update.php file. The specific function affected involves the manipulation of the me_link argument, which creates a security exposure that allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability is classified as remotely exploitable, meaning that an attacker does not require physical access to the system to carry out the attack, and can potentially compromise user sessions or redirect them to malicious sites. This represents a significant security risk in web applications where user input is not properly sanitized before being processed and displayed.
The technical nature of this vulnerability aligns with CWE-79, which describes Cross-Site Scripting flaws that occur when web applications fail to properly validate or escape user-supplied input before incorporating it into dynamic content. The me_link parameter serves as the attack vector where malicious input can be injected to execute arbitrary JavaScript code in the context of a victim's browser session. This type of vulnerability enables attackers to perform actions on behalf of users, potentially stealing session cookies, modifying data, or redirecting users to phishing sites. The vulnerability's classification as problematic indicates that it represents a substantial security concern that requires immediate attention.
The operational impact of this vulnerability extends beyond simple script execution, as it can lead to session hijacking, data theft, and potential full system compromise if users with administrative privileges are affected. The fact that this vulnerability only affects unsupported products highlights a critical security gap where organizations may be running outdated software with known security flaws. Attackers can leverage this vulnerability to gain unauthorized access to user accounts, manipulate content, or establish persistent access points within the web application environment. The remote exploitation capability means that attackers can target users from anywhere on the internet without requiring local system access.
The recommended mitigation strategy involves upgrading to version 5.4.5.2 which includes the patch identified by the commit hash 70daa537adfa47b87af12d85f1e698fff01785ff. This upgrade addresses the root cause by properly sanitizing the me_link parameter before processing user input. Organizations should also implement additional defensive measures including input validation, output encoding, and regular security audits to prevent similar vulnerabilities. The vulnerability's designation as unsupported by the maintainer underscores the importance of maintaining current software versions and having proper security governance policies in place to avoid running legacy systems with known security flaws. This case demonstrates how the absence of security updates and patches can leave systems vulnerable to exploitation, aligning with ATT&CK technique T1190 for exploitation of remote services and T1566 for credential access through social engineering or compromised accounts.