{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8208?format=json","vulnerability_id":"VCID-fy4c-77tm-9kam","summary":"In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture","aliases":[{"alias":"CVE-2021-25967"},{"alias":"GHSA-6w9p-88qg-p3g3"},{"alias":"PYSEC-2021-841"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/23997?format=json","purl":"pkg:pypi/ckan@2.9.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1has-6rxa-x3ht"},{"vulnerability":"VCID-5hj2-93n8-bubp"},{"vulnerability":"VCID-6epn-ddfg-8fe9"},{"vulnerability":"VCID-bah9-eeve-zybg"},{"vulnerability":"VCID-fy4c-77tm-9kam"},{"vulnerability":"VCID-mfpa-jdxh-vfd3"},{"vulnerability":"VCID-q8zb-pgzr-rqgs"},{"vulnerability":"VCID-t3gx-x14x-2bf9"},{"vulnerability":"VCID-ueuv-2ufc-e7dq"},{"vulnerability":"VCID-w6cg-ubux-qbfg"},{"vulnerability":"VCID-wc53-cp3f-2faa"},{"vulnerability":"VCID-zqyk-rq9a-eked"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ckan@2.9.4"},{"url":"http://public2.vulnerablecode.io/api/packages/58690?format=json","purl":"pkg:pypi/ckan@2.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1has-6rxa-x3ht"},{"vulnerability":"VCID-5hj2-93n8-bubp"},{"vulnerability":"VCID-6epn-ddfg-8fe9"},{"vulnerability":"VCID-am2d-z4n4-93ff"},{"vulnerability":"VCID-azkb-63qy-9ubj"},{"vulnerability":"VCID-bah9-eeve-zybg"},{"vulnerability":"VCID-mfpa-jdxh-vfd3"},{"vulnerability":"VCID-q8zb-pgzr-rqgs"},{"vulnerability":"VCID-t3gx-x14x-2bf9"},{"vulnerability":"VCID-ueuv-2ufc-e7dq"},{"vulnerability":"VCID-wc53-cp3f-2faa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ckan@2.10.0"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/23993?format=json","purl":"pkg:pypi/ckan@2.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1has-6rxa-x3ht"},{"vulnerability":"VCID-5hj2-93n8-bubp"},{"vulnerability":"VCID-6epn-ddfg-8fe9"},{"vulnerability":"VCID-bah9-eeve-zybg"},{"vulnerability":"VCID-fy4c-77tm-9kam"},{"vulnerability":"VCID-mfpa-jdxh-vfd3"},{"vulnerability":"VCID-q8zb-pgzr-rqgs"},{"vulnerability":"VCID-t3gx-x14x-2bf9"},{"vulnerability":"VCID-ueuv-2ufc-e7dq"},{"vulnerability":"VCID-w6cg-ubux-qbfg"},{"vulnerability":"VCID-wc53-cp3f-2faa"},{"vulnerability":"VCID-zqyk-rq9a-eked"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ckan@2.9.0"},{"url":"http://public2.vulnerablecode.io/api/packages/23994?format=json","purl":"pkg:pypi/ckan@2.9.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1has-6rxa-x3ht"},{"vulnerability":"VCID-5hj2-93n8-bubp"},{"vulnerability":"VCID-6epn-ddfg-8fe9"},{"vulnerability":"VCID-bah9-eeve-zybg"},{"vulnerability":"VCID-fy4c-77tm-9kam"},{"vulnerability":"VCID-mfpa-jdxh-vfd3"},{"vulnerability":"VCID-q8zb-pgzr-rqgs"},{"vulnerability":"VCID-t3gx-x14x-2bf9"},{"vulnerability":"VCID-ueuv-2ufc-e7dq"},{"vulnerability":"VCID-w6cg-ubux-qbfg"},{"vulnerability":"VCID-wc53-cp3f-2faa"},{"vulnerability":"VCID-zqyk-rq9a-eked"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ckan@2.9.1"},{"url":"http://public2.vulnerablecode.io/api/packages/23995?format=json","purl":"pkg:pypi/ckan@2.9.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1has-6rxa-x3ht"},{"vulnerability":"VCID-5hj2-93n8-bubp"},{"vulnerability":"VCID-6epn-ddfg-8fe9"},{"vulnerability":"VCID-bah9-eeve-zybg"},{"vulnerability":"VCID-fy4c-77tm-9kam"},{"vulnerability":"VCID-mfpa-jdxh-vfd3"},{"vulnerability":"VCID-q8zb-pgzr-rqgs"},{"vulnerability":"VCID-t3gx-x14x-2bf9"},{"vulnerability":"VCID-ueuv-2ufc-e7dq"},{"vulnerability":"VCID-w6cg-ubux-qbfg"},{"vulnerability":"VCID-wc53-cp3f-2faa"},{"vulnerability":"VCID-zqyk-rq9a-eked"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ckan@2.9.2"},{"url":"http://public2.vulnerablecode.io/api/packages/23996?format=json","purl":"pkg:pypi/ckan@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1has-6rxa-x3ht"},{"vulnerability":"VCID-5hj2-93n8-bubp"},{"vulnerability":"VCID-6epn-ddfg-8fe9"},{"vulnerability":"VCID-bah9-eeve-zybg"},{"vulnerability":"VCID-fy4c-77tm-9kam"},{"vulnerability":"VCID-mfpa-jdxh-vfd3"},{"vulnerability":"VCID-q8zb-pgzr-rqgs"},{"vulnerability":"VCID-t3gx-x14x-2bf9"},{"vulnerability":"VCID-ueuv-2ufc-e7dq"},{"vulnerability":"VCID-w6cg-ubux-qbfg"},{"vulnerability":"VCID-wc53-cp3f-2faa"},{"vulnerability":"VCID-zqyk-rq9a-eked"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ckan@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/23997?format=json","purl":"pkg:pypi/ckan@2.9.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1has-6rxa-x3ht"},{"vulnerability":"VCID-5hj2-93n8-bubp"},{"vulnerability":"VCID-6epn-ddfg-8fe9"},{"vulnerability":"VCID-bah9-eeve-zybg"},{"vulnerability":"VCID-fy4c-77tm-9kam"},{"vulnerability":"VCID-mfpa-jdxh-vfd3"},{"vulnerability":"VCID-q8zb-pgzr-rqgs"},{"vulnerability":"VCID-t3gx-x14x-2bf9"},{"vulnerability":"VCID-ueuv-2ufc-e7dq"},{"vulnerability":"VCID-w6cg-ubux-qbfg"},{"vulnerability":"VCID-wc53-cp3f-2faa"},{"vulnerability":"VCID-zqyk-rq9a-eked"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ckan@2.9.4"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25967","reference_id":"","reference_type":"","scores":[{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42778","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25967"},{"reference_url":"https://github.com/advisories/GHSA-6w9p-88qg-p3g3","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6w9p-88qg-p3g3"},{"reference_url":"https://github.com/ckan/ckan","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ckan/ckan"},{"reference_url":"https://github.com/ckan/ckan/commit/5a46989c0a4f2c2873ca182c196da83b82babd25","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ckan/ckan/commit/5a46989c0a4f2c2873ca182c196da83b82babd25"},{"reference_url":"https://github.com/ckan/ckan/pull/6477","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ckan/ckan/pull/6477"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/ckan/PYSEC-2021-841.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/ckan/PYSEC-2021-841.yaml"},{"reference_url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25967","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T15:27:35Z/"}],"url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25967"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25967","reference_id":"CVE-2021-25967","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25967"}],"weaknesses":[{"cwe_id":79,"name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","description":"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fy4c-77tm-9kam"}