{"id":"CVE-2020-21316","details":"A Cross-site scripting (XSS) vulnerability exists in the comment section in ZrLog 2.1.3, which allows remote attackers to inject arbitrary web script and stolen administrator cookies via the nickname parameter and gain access to the admin panel.","modified":"2026-03-15T14:06:32.854272Z","published":"2021-06-15T20:15:11.300Z","references":[{"type":"FIX","url":"https://gist.github.com/T-pod/d9405dbd61243990d65d55c5df0fcbe6"},{"type":"FIX","url":"https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941"},{"type":"FIX","url":"https://github.com/94fzb/zrlog/issues/56"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/94fzb/zrlog","events":[{"introduced":"0"},{"fixed":"b921c1ae03b8290f438657803eee05226755c941"}]},{"type":"GIT","repo":"https://github.com/94fzb/zrlog","events":[{"introduced":"0"},{"fixed":"b921c1ae03b8290f438657803eee05226755c941"}]}],"database_specific":{"vanir_signatures":[{"signature_version":"v1","id":"CVE-2020-21316-0efcd70f","deprecated":false,"digest":{"length":1104,"function_hash":"314116546790506854085695190330257683378"},"signature_type":"Function","target":{"function":"visitorPermission","file":"web/src/main/java/com/zrlog/web/interceptor/VisitorInterceptor.java"},"source":"https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941"},{"signature_version":"v1","id":"CVE-2020-21316-257d655e","deprecated":false,"digest":{"length":1149,"function_hash":"137613741883679278491632420607273961738"},"signature_type":"Function","target":{"function":"save","file":"service/src/main/java/com/zrlog/service/CommentService.java"},"source":"https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941"},{"signature_version":"v1","id":"CVE-2020-21316-3a5a9e0c","deprecated":false,"digest":{"length":1328,"function_hash":"243539549476825609237483414567709360403"},"signature_type":"Function","target":{"function":"fillArticleInfo","file":"web/src/main/java/com/zrlog/web/interceptor/TemplateHelper.java"},"source":"https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941"},{"signature_version":"v1","id":"CVE-2020-21316-61064135","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["255317515322004661244838622795289278510","1585590115297278668542033621338600927","254891015209655894095497332809953272185","127535317118388556884289854862733688977","191811468374451648440606354442601973995","234482959144584477846631332928910975033","128531876409498421601571775994588919931","49052709491107294757906768625593591506","85127002104879830226331679488692397774","334189335248224068690334842305714807004","292145379695361543872316783387136243774","269936479993536339696752510048312913867","264409648700854651823348133134607573768"]},"signature_type":"Line","target":{"file":"common/src/main/java/com/zrlog/web/util/WebTools.java"},"source":"https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941"},{"signature_version":"v1","id":"CVE-2020-21316-83ebf214","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["181698198724114515457028488461359997051","78293718847762090180831430992759950408","227952938564799657506579552419492826802","338546277548037556835424653200028731825","152649622324033886272711513714946452720","74122167379593432692728147884713950434","224560405946310655793607518442119409196","304589926665924769059257584194924262617","202142239757429806879995151234506415139","272959905494415245370135732323385478978","246172498396409406269758518918081870391","197475500111986437369497199969399682144","4954522115248510123166082542878109127","73708422785249498016964631364800179806","297812936685670484314197255204429298839","77138836914463877242950420553889866509"]},"signature_type":"Line","target":{"file":"web/src/main/java/com/zrlog/web/controller/blog/ArticleController.java"},"source":"https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941"},{"signature_version":"v1","id":"CVE-2020-21316-88db142f","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["178053060088788974393113175310314180646","92275880426040984137495012234942305785","52765419042201367541045930796366806354","175358007515466031679721415109337571197","37593684550153422024637936302115416362","130099785033098268167324943382592710728","275223062953703030271882369695886645572","73715361936018940725651771672425761546","22195925961968675355307281252943698564","82626779293346072494414603583557442666","330305284237318781853359687356538502192","172419303118402829017540987165309172758","196443777864715007678975226858929107548","290518383898672222908397394758330151183"]},"signature_type":"Line","target":{"file":"service/src/main/java/com/zrlog/service/CommentService.java"},"source":"https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941"},{"signature_version":"v1","id":"CVE-2020-21316-9bdd04b9","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["81674906023471645466592537015215189310","10129745713239287829397144641241857619","282804773865029287285642757612263921150","182174972745819675941802491244710833607","339039745101975972296562730485988622889","228899969454856675753784777051935732331","262529975862715798549720180822144006434","199343592546387810499397962256443548272"]},"signature_type":"Line","target":{"file":"web/src/main/java/com/zrlog/web/interceptor/VisitorInterceptor.java"},"source":"https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941"},{"signature_version":"v1","id":"CVE-2020-21316-ae6888c5","deprecated":false,"digest":{"length":253,"function_hash":"295394059786802822867445299716423078386"},"signature_type":"Function","target":{"function":"saveComment","file":"web/src/main/java/com/zrlog/web/controller/blog/ArticleController.java"},"source":"https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941"},{"signature_version":"v1","id":"CVE-2020-21316-b4166985","deprecated":false,"digest":{"length":1150,"function_hash":"328781203447287451830282395420437218762"},"signature_type":"Function","target":{"function":"afterJFinalStart","file":"web/src/main/java/com/zrlog/web/config/ZrLogConfig.java"},"source":"https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941"},{"signature_version":"v1","id":"CVE-2020-21316-b6a4a1f7","deprecated":false,"digest":{"length":715,"function_hash":"7068073471497652788829679465550950382"},"signature_type":"Function","target":{"function":"getRealIp","file":"common/src/main/java/com/zrlog/web/util/WebTools.java"},"source":"https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941"},{"signature_version":"v1","id":"CVE-2020-21316-bb2d9f0c","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["35767719419188490829919311240567076081","90719088655743489986813475385448360465","218374467866992455428320116034123166642","68019269094447134616163783392130856448"]},"signature_type":"Line","target":{"file":"web/src/main/java/com/zrlog/web/interceptor/TemplateHelper.java"},"source":"https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941"},{"signature_version":"v1","id":"CVE-2020-21316-cc9763d3","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["74905063471474703248189730641804005053","130308717912076800051313452541027448753","37495164491180937392416168901757183190","71815569320077476230847569244722166896","248744880354348207321794203919310046318","104593027055061343465193587486782039883","65903254530894404463457035669405346954","247220481241153184055740706176680373152","301910473106642072078411063025395289642","134618710902054889966067179626439499550","30323998384549489032504626572908890109","87108183155772886971799773587441098080"]},"signature_type":"Line","target":{"file":"web/src/main/java/com/zrlog/web/config/ZrLogConfig.java"},"source":"https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941"},{"signature_version":"v1","id":"CVE-2020-21316-e0817f0a","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["337947787947358830477196862020105624860","42233489271249215341832571073079729067","204925795602141333892684847050874504727","259339527632048421534968985598555287556"]},"signature_type":"Line","target":{"file":"web/src/main/java/com/zrlog/web/Application.java"},"source":"https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2.1.3"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-21316.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}