{"id":"CVE-2021-37365","details":"CTparental before 4.45.03 is vulnerable to cross-site scripting (XSS) in the CTparental admin panel. In bl_categires_help.php, the 'categories' variable is assigned with the content of the query string param 'cat' without sanitization or encoding, enabling an attacker to inject malicious code into the output webpage.","modified":"2026-04-12T00:40:18.392782Z","published":"2021-08-10T17:15:10.690Z","references":[{"type":"ADVISORY","url":"https://gist.github.com/securylight/092ba96a660e07ad76f2a380c2eaa75a"},{"type":"ADVISORY","url":"https://gitlab.com/marsat/CTparental/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/ctparentalgroup/CTparental","events":[{"introduced":"0"},{"fixed":"db154c83398f40ae651e672c46f54425dfdb5b1d"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"4.45.03"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:ctparental_project:ctparental:*:*:*:*:*:*:*:*"}}],"versions":["4.25.05m","4.30.08m","4.40.04m","4.40.05m","4.41.01m","4.41.02m","4.42.01m","4.43.01m","4.44.01m","4.44.02m","4.44.03m","4.44.05m","4.44.08m","4.44.09m","4.44.11-manjaro-test","4.44.12m","4.44.13m","4.44.15m","4.44.16m","4.44.17m","4.44.18m","4.45.02m"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-37365.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}