CVE-2021-41918

5.4 MEDIUM

webTareas version 2.4 and earlier allows an authenticated user to inject arbitrary web script or HTML due to incorrect sanitization of us...

Published: 2021-10-08 · Last updated: 2026-06-17

Severity and scoring

CVSS: 5.4 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Affected products

Vendor	Product
webtareas_project	webtareas

Description

webTareas version 2.4 and earlier allows an authenticated user to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against the platform users and administrators. The issue affects every endpoint on the application because it is related on how each URL is echoed back on every response page.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41918
[Exploit reference]https://n4nj0.github.io/advisories/webtareas-multiple-vulnerabilities-i/
[Exploit reference]https://n4nj0.github.io/advisories/webtareas-multiple-vulnerabilities-i/

Related CVEs

Same vendor

CVE-2021-41920 — webTareas version 2.4 and earlier allows an unauthenticated user to perform Time and Boolean-based blind SQL Injection on the endpoint /i... (7.5 HIGH)
CVE-2021-41919 — webTareas version 2.4 and earlier allows an authenticated user to arbitrarily upload potentially dangerous files without restrictions (8.8 HIGH)
CVE-2021-41917 — webTareas version 2.4 and earlier allows an authenticated user to store arbitrary web script or HTML by creating or editing a client name... (5.4 MEDIUM)
CVE-2021-41916 — A Cross-Site Request Forgery (CSRF) vulnerability in webTareas version 2.4 and earlier allows a remote attacker to create a new administr... (8.8 HIGH)

Same CWE

CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
CVE-2026-39437 — Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)