Armis Vulnerability Intelligence Database

By combining AI with human insight, Armis Vulnerability Intelligence Database offers extended coverage for vulnerabilities that matter to you, your industry, and provides you with clear remediation instructions.

CVE Name	Severity Score	Published Date	CISA KEV

Take These Insights to the Next Level

Armis now offers direct API access to Armis Vulnerability Intelligence Database through the AWS Marketplace, transforming it from a powerful research tool into an integrated component of your proactive security posture.

Seamless Integration: Directly feed Armis's contextual data into your existing stack.
Automated Workflows: Automate vulnerability lookups in real-time.
Custom Solutions: Use the raw data to build custom dashboards, reports, alerts.

Insights Hero

Perspectives, Insights, and News

News article image

This Year Vulnerability Management Moves from the Basement to the C-suite

The evolution of cybersecurity practices are reshaping how organizations tackle vulnerabilities.

News article image

Closing the Loop

Making security everyone's business with prioritization and collaboration.

READ CASE STUDY→

News article image

The State of Cyberwarfare

The state of Cyberwarfare

Focus on What Matters

See everything.Identify true risk.Proactively mitigate threats.Book a Demo

Let's talk!

CVE-2021-37504 | Medium Severity | Armis

.jpg\", which would then be executed in the victim's browser context when the upload information is displayed.\n","datePublished":"2022-02-25T19:15:12.000Z","dateModified":"2026-05-13T09:05:21.686Z","keywords":"Medium, 2022, CVE, vulnerability, cybersecurity, CVSS","url":"https://cve.armis.com/CVE-2021-37504","author":{"@type":"Organization","name":"Armis","url":"https://www.armis.com"},"publisher":{"@type":"Organization","name":"Armis","url":"https://www.armis.com"},"license":"https://creativecommons.org/licenses/by-nc-sa/4.0/","isBasedOn":{"@type":"WebPage","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37504","name":"NVD CVE-2021-37504"},"additionalProperty":[{"@type":"PropertyValue","name":"CVSS Score","value":"6.1"},{"@type":"PropertyValue","name":"Severity","value":"Medium"},{"@type":"PropertyValue","name":"EPSS Score","value":"0.72%"},{"@type":"PropertyValue","name":"EPSS Percentile","value":"72th"},{"@type":"PropertyValue","name":"Attack Vector","value":"NETWORK"},{"@type":"PropertyValue","name":"Attack Complexity","value":"LOW"},{"@type":"PropertyValue","name":"Privileges Required","value":"NONE"},{"@type":"PropertyValue","name":"User Interaction","value":"REQUIRED"},{"@type":"PropertyValue","name":"Scope","value":"CHANGED"},{"@type":"PropertyValue","name":"Confidentiality Impact","value":"LOW"},{"@type":"PropertyValue","name":"Integrity Impact","value":"LOW"},{"@type":"PropertyValue","name":"Availability Impact","value":"NONE"}]},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is CVE-2021-37504?","acceptedAnswer":{"@type":"Answer","text":"Cross-site scripting (XSS) vulnerability in jQuery-Upload-File v4.0.11 allows attackers to execute arbitrary web scripts through crafted filenames.\n"}},{"@type":"Question","name":"How severe is CVE-2021-37504?","acceptedAnswer":{"@type":"Answer","text":"CVE-2021-37504 has a CVSS score of 6.1 (Medium severity). EPSS score: 0.72% (72th percentile), indicating the estimated probability of exploitation in the wild."}},{"@type":"Question","name":"How do I fix CVE-2021-37504?","acceptedAnswer":{"@type":"Answer","text":"To remediate this vulnerability, developers should:\n\n1. Update to a newer version of jQuery-Upload-File if available that addresses this security issue.\n2. If updates are not available, implement a custom fix by modifying the plugin code to properly sanitize filenames before displaying them:\n - Use appropriate encoding functions like jQuery's .text() instead of .html() when inserting filenames\n - Implement server-side validation and sanitization of uploaded filenames\n - Consider implementing Content Security Policy (CSP) headers to mitigate the impact of XSS vulnerabilities\n\n3. As a temporary workaround, developers can modify line 469 in jquery.uploadfile.js to sanitize the filename by replacing:\n ```\n var fileNameStr = fileName;\n ```\n with:\n ```\n var fileNameStr = $('

').text(fileName).html();\n ```\n"}}]},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://cve.armis.com/"},{"@type":"ListItem","position":2,"name":"CVE-2021-37504","item":"https://cve.armis.com/CVE-2021-37504"}]}]

CVE-2021-37504:

Cross-site scripting (XSS) vulnerability in jQuery-Upload-File v4.0.11 allows attackers to execute arbitrary web scripts through crafted filenames.

Score
A numerical rating that indicates how dangerous this vulnerability is.

Published Date:Feb 25, 2022
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.7
EPSS Percentile:72%

Exploitability

Score:2.8
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE

Description Preview

Cross-site scripting (XSS) vulnerability in jQuery-Upload-File v4.0.11 allows attackers to execute arbitrary web scripts through crafted filenames.

Overview

The vulnerability exists in jQuery-Upload-File v4.0.11, a popular jQuery plugin used for file uploads in web applications. The issue occurs because the plugin directly inserts the filename into the DOM without proper sanitization when displaying upload information. According to the source code referenced in the CVE (line 469 of jquery.uploadfile.js), the plugin does not properly escape or sanitize user-provided filenames before rendering them in the browser. An attacker can exploit this by uploading a file with a name containing malicious JavaScript, such as "filealert(document.cookie).jpg", which would then be executed in the victim's browser context when the upload information is displayed.

Remediation

To remediate this vulnerability, developers should:

Update to a newer version of jQuery-Upload-File if available that addresses this security issue.
If updates are not available, implement a custom fix by modifying the plugin code to properly sanitize filenames before displaying them:
- Use appropriate encoding functions like jQuery's .text() instead of .html() when inserting filenames
- Implement server-side validation and sanitization of uploaded filenames
- Consider implementing Content Security Policy (CSP) headers to mitigate the impact of XSS vulnerabilities
As a temporary workaround, developers can modify line 469 in jquery.uploadfile.js to sanitize the filename by replacing:
```
var fileNameStr = fileName;
```
with:
```
var fileNameStr = $('<div>').text(fileName).html();
```

References

GitHub source code showing the vulnerable line: https://github.com/hayageek/jquery-upload-file/blob/master/js/jquery.uploadfile.js#L469
Raw source code of the plugin: https://raw.githubusercontent.com/hayageek/jquery-upload-file/master/js/jquery.uploadfile.js
jQuery library referenced by the plugin: http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
Plugin CSS file: http://hayageek.github.io/jQuery-Upload-File/4.0.11/uploadfile.css
Minified version of the vulnerable plugin: http://hayageek.github.io/jQuery-Upload-File/4.0.11/jquery.uploadfile.min.js
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Industries Affected

Below is a list of industries most commonly impacted or potentially at risk based on intelligence.

Low

Mining

Utilities

Information

Construction

Retail Trade

Manufacturing

Wholesale Trade

Educational Services

Finance and Insurance

Public Administration

Real Estate Rental and Leasing

Transportation and Warehousing