CVE-2021-47743: COMMAX Biometric Access Control System 1.0.0 Reflected XSS via Cookie Parameters
COMMAX Biometric Access Control System 1.0.0 contains an unauthenticated reflected cross-site scripting vulnerability in cookie parameters 'CMX_ADMIN_NM' and 'CMX_COMPLEX_NM'. Attackers can inject malicious HTML and JavaScript code into these cookie values to execute arbitrary scripts in a victim's browser session.
Security readout for executives and security teams
Plain-English summary
COMMAX Biometric Access Control System 1.0.0 can reflect attacker-controlled cookie values into a user's browser. A victim must be tricked into interacting with the affected web interface. Successful exploitation could let script run in that browser session, risking limited data exposure or unauthorized actions in the application context.
Executive priority
Treat this as a moderate-priority web application exposure. Prioritize any internet-reachable or broadly accessible access-control management portals, then reduce access and seek vendor remediation guidance.
Technical view
The issue is unauthenticated reflected XSS in cookie parameters CMX_ADMIN_NM and CMX_COMPLEX_NM in COMMAX Biometric Access Control System 1.0.0. CVSS 3.1 is 6.1 with network attack vector, low complexity, no privileges, required user interaction, changed scope, and low confidentiality/integrity impact.
Likely exposure
Exposure is limited to organizations running COMMAX Biometric Access Control System version 1.0.0, especially where its web interface is reachable by users or from untrusted networks.
Exploitation context
The bundle includes public exploit-database references, but KEV is false and no cited source confirms active exploitation. This is a browser-session risk, not direct device takeover from the evidence provided.
Researcher notes
Evidence is strongest for product, version, CWE-79 class, cookie parameters, and CVSS. The bundle does not provide a confirmed vendor patch, affected CPEs, or active exploitation evidence.
Mitigation direction
Identify any COMMAX Biometric Access Control System 1.0.0 deployments.
Check COMMAX support or vendor guidance for fixed software or upgrade paths.
Restrict access to the web interface to trusted networks or VPN users.
Apply web filtering or proxy controls for suspicious cookie-based XSS attempts.
Review logs for unusual CMX_ADMIN_NM or CMX_COMPLEX_NM cookie values.
Validation and detection
Confirm product name and version on each access-control management server.
Verify whether the affected web interface is reachable from untrusted networks.
In a controlled test, check whether benign cookie markers are reflected unencoded.
Review application and proxy logs for suspicious values in the named cookies.
Document whether compensating access controls protect the interface.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.