CVE-2021-25959: 
Java vulnerability analysis and mitigation

In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This vulnerability was assigned CVE-2021-25959 and allows execution of external javascript files on any user of the openCRX instance (Mend Database).

The vulnerability exists due to unsanitized parameters in the password reset functionality. The issue is specifically related to the 'id' parameter in the password reset URL, which can be manipulated to execute external JavaScript files. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS v3.1 base score of 6.1, indicating moderate severity. The attack vector is network-based, with low attack complexity, requiring no privileges but needs user interaction (Mend Database).

When successfully exploited, this vulnerability allows attackers to execute external JavaScript files on any user of the openCRX instance. This can lead to potential compromise of user data and session information, with the CVSS metrics indicating low impact on both confidentiality and integrity (Mend Database).

The recommended mitigation is to upgrade to version org.opencrx:opencrx-core-config:5.2.0 or later. A fix has been implemented in the codebase as evidenced by the commit 14e75f95e5f56fbe7ee897bdf5d858788072e818 (GitHub Commit).