{"id":"CVE-2021-25959","details":"In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance.","aliases":["GHSA-rwh9-8xx8-4wfm"],"modified":"2026-04-11T13:54:00.496744Z","published":"2021-09-29T14:15:07.620Z","references":[{"type":"WEB","url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25959"},{"type":"FIX","url":"https://github.com/opencrx/opencrx/commit/14e75f95e5f56fbe7ee897bdf5d858788072e818"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opencrx/opencrx","events":[{"introduced":"b78f2e7527fa15fd86ac35e66048293e7bc112c1"},{"last_affected":"7e4f0c4c1238c7bf6c6d38c68a8f4db17bdb53c5"},{"fixed":"14e75f95e5f56fbe7ee897bdf5d858788072e818"}],"database_specific":{"versions":[{"introduced":"4.0.0"},{"last_affected":"5.1.0"}]}}],"versions":["opencrx-v4.0.0","opencrx-v4.1.0","opencrx-v4.2.0","opencrx-v4.3.0","opencrx-v4.3.0-rc.1","opencrx-v5.0-20200714","opencrx-v5.0-20200715","opencrx-v5.0-20200717","opencrx-v5.0-20200904","opencrx-v5.0.0","opencrx-v5.0.1","opencrx-v5.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25959.json","vanir_signatures_modified":"2026-04-11T13:54:00Z","vanir_signatures":[{"source":"https://github.com/opencrx/opencrx/commit/14e75f95e5f56fbe7ee897bdf5d858788072e818","signature_version":"v1","target":{"function":"copyDb","file":"core/src/main/java/org/opencrx/kernel/tools/CopyDb.java"},"digest":{"length":1272,"function_hash":"299926449566693712240401486120705060548"},"id":"CVE-2021-25959-3d12a421","signature_type":"Function","deprecated":false},{"source":"https://github.com/opencrx/opencrx/commit/14e75f95e5f56fbe7ee897bdf5d858788072e818","signature_version":"v1","target":{"function":"copyDbObject","file":"core/src/main/java/org/opencrx/kernel/tools/CopyDb.java"},"digest":{"length":3727,"function_hash":"153014618847153202251050346306638867562"},"id":"CVE-2021-25959-79065f0e","signature_type":"Function","deprecated":false},{"source":"https://github.com/opencrx/opencrx/commit/14e75f95e5f56fbe7ee897bdf5d858788072e818","signature_version":"v1","target":{"file":"core/src/main/java/org/opencrx/kernel/tools/CopyDb.java"},"digest":{"line_hashes":["252974067760682639526069339914185005060","67307008562535689517234536862088945489","219511582486534768945373860123843421775","157950679091514196060976590044903556173","283744227869885296625868921359126648981","173950007691500410815011086662779563699","183425582796188218942433615138051562480","268199670166582995169337558919550266166"],"threshold":0.9},"id":"CVE-2021-25959-a522a2d6","signature_type":"Line","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}