CVE-2021-47925 Overview
CVE-2021-47925 affects CMDBuild 3.3.2, an open-source configuration management database (CMDB) and IT asset management platform. The vulnerability consists of multiple stored cross-site scripting (XSS) flaws [CWE-79] in card creation and file upload endpoints. Authenticated attackers can inject malicious JavaScript or HTML through Employee card parameters or by uploading crafted SVG file attachments to the classes endpoint. The injected payloads execute in the browser context of any user who views the affected records or previews the attachments.
Critical Impact
Authenticated attackers can persist JavaScript payloads inside CMDB records and SVG attachments, executing arbitrary script in victims' browsers and enabling session theft or account takeover within the CMDBuild application.
Affected Products
- CMDBuild 3.3.2
- Employee card creation endpoint
- classes endpoint file upload functionality (SVG attachments)
Discovery Timeline
- 2026-05-10 - CVE-2021-47925 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2021-47925
Vulnerability Analysis
CMDBuild 3.3.2 fails to sanitize user-supplied input before storing it and rendering it back to other users. The flaw is a stored XSS [CWE-79], meaning the payload persists in the application database and executes whenever another authenticated user views the affected record. Two injection points are documented in the VulnCheck Advisory for CMDBuild and the Exploit-DB #50527 entry.
The first injection point is the Employee card creation form, where text fields accept arbitrary HTML and script content. The second is the file attachment workflow on the classes endpoint, which accepts SVG uploads without stripping embedded <script> elements or event handlers.
Root Cause
The root cause is missing output encoding and inadequate file content validation. CMDBuild stores card field values verbatim and renders them into HTML responses without contextual escaping. For attachments, the application serves SVG files with an executable MIME type rather than forcing download or sanitizing the SVG XML, allowing inline scripts inside the SVG to execute in the application's origin.
Attack Vector
An authenticated low-privileged user creates an Employee card containing an XSS payload in a text field, or uploads a crafted SVG file containing JavaScript through the classes attachment endpoint. When another user — including an administrator — opens the card or previews the attachment, the script executes in their browser session. This allows the attacker to exfiltrate session cookies, perform actions on behalf of the victim, or pivot to higher-privileged accounts.
No verified exploit code is reproduced here. Refer to the Exploit-DB #50527 public proof-of-concept for the exact request structure.
Detection Methods for CVE-2021-47925
Indicators of Compromise
- CMDBuild card fields containing <script>, onerror=, onload=, or javascript: substrings stored in the database.
- SVG attachments in the classes endpoint containing <script> tags or event-handler attributes such as onload.
- Unexpected outbound HTTP requests from analyst browsers immediately after viewing a CMDBuild record or attachment.
Detection Strategies
- Query the CMDBuild database for stored card values matching common XSS signatures and review them manually.
- Inspect uploaded files in the attachment store for SVG content that includes scripting constructs or external resource references.
- Review web server access logs for POST requests to card creation and classes upload endpoints containing encoded script payloads.
Monitoring Recommendations
- Enable verbose application audit logging for card create, update, and file upload actions, capturing the submitting user and payload size.
- Forward CMDBuild and reverse-proxy logs to a centralized log platform and alert on requests containing HTML or script tokens in CMDB form fields.
- Monitor browser sessions of privileged CMDBuild users for anomalous XHR activity after record views, which may indicate XSS payload execution.
How to Mitigate CVE-2021-47925
Immediate Actions Required
- Upgrade CMDBuild to a version later than 3.3.2 by following the CMDBuild Latest Version Download instructions.
- Audit existing Employee cards and classes attachments for previously injected XSS payloads and remove any malicious content.
- Restrict card creation and file upload permissions to trusted users until patching is complete.
Patch Information
No specific patched version is identified in the published advisory. Administrators should consult the CMDBuild Official Website and the VulnCheck Advisory for CMDBuild for vendor remediation guidance and apply the most recent stable release.
Workarounds
- Configure the reverse proxy or web server to serve uploaded SVG files with Content-Disposition: attachment and a non-executable MIME type to prevent inline rendering.
- Deploy a strict Content Security Policy (CSP) for the CMDBuild application that disables inline scripts and restricts script sources to trusted origins.
- Block SVG uploads entirely at the upload endpoint if SVG is not required for business workflows.
# Example nginx configuration to force SVG download and apply CSP
location ~* \.svg$ {
add_header Content-Disposition "attachment";
add_header X-Content-Type-Options "nosniff";
types { application/octet-stream svg; }
}
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
