cvedb.io
CVE-2021-33570
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2021-05-25T22:15:10.353 · Last modified 2026-06-17T03:54:48.483

Summary

Postbird 0.8.4 allows stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table. This can result in reading local files via vectors involving XMLHttpRequest and open of a file:/// URL, or discovering PostgreSQL passwords via vectors involving Window.localStorage and savedConnections.

Affected products

postbird_project — postbird

Does this affect you?

Add your gear to cvedb and we'll alert you only when postbird_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.