{"id":"CVE-2021-38138","details":"OneNav beta 0.9.12 allows XSS via the Add Link feature. NOTE: the vendor's position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release.","modified":"2026-04-02T07:09:13.006139Z","published":"2021-08-05T16:15:07.317Z","references":[{"type":"ADVISORY","url":"https://github.com/helloxz/onenav/releases"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/163753/OneNav-Beta-0.9.12-Cross-Site-Scripting.html"},{"type":"EVIDENCE","url":"https://github.com/helloxz/onenav/issues/26"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/helloxz/onenav","events":[{"introduced":"0"},{"last_affected":"60a535dfbe8382566f8095b63a30a14e32a975e6"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.9.12"}]}}],"versions":["0.9.1","0.9.10","0.9.11","0.9.12","0.9.2","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-38138.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}