{"id":"CVE-2021-27940","details":"resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter.","aliases":["GHSA-752c-vfpf-cp2w"],"modified":"2025-11-14T11:34:22.118851Z","published":"2021-03-03T22:15:12.503Z","references":[{"type":"FIX","url":"https://github.com/openark/orchestrator/pull/1313"},{"type":"ADVISORY","url":"https://github.com/openark/orchestrator/releases/tag/v3.2.4"},{"type":"EVIDENCE","url":"https://www.youtube.com/watch?v=DOYm0DIS3Us"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openark/orchestrator","events":[{"introduced":"0"},{"fixed":"340578e0d74b1f47112b6b019060790221a50a25"}]}],"versions":["3.2.1.beta","v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.1.0","v2.1.1-BETA","v2.1.2","v2.1.4","v2.1.5","v3.0.1.pre-release","v3.0.10","v3.0.11","v3.0.12","v3.0.13","v3.0.14","v3.0.2","v3.0.3","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.0.pre-release","v3.1.0","v3.1.1","v3.1.2","v3.1.3","v3.1.4","v3.2.0.beta","v3.2.2","v3.2.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-27940.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}