CVE-2021-47843 – Tagstoo 2.0.1 contains a stored cross-site scri... (How to Fix)

Q: What is the severity of CVE-2021-47843?

CVE-2021-47843 has a CVSS score of 5.4 (MEDIUM). Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through files or custom tags. This enables attackers to execute arbitrary code on victim computers, potentially leading to remote code execution. Users running Tagstoo 2.0.1 are affected.

📋 TL;DR

Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through files or custom tags. This enables attackers to execute arbitrary code on victim computers, potentially leading to remote code execution. Users running Tagstoo 2.0.1 are affected.

💻 Affected Systems

Products:

Tagstoo

Versions: 2.0.1

Operating Systems: All platforms running Tagstoo

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in how Tagstoo handles file uploads and custom tag inputs without proper sanitization.

📦 What is this software?

Tagstoo by Pabloandumundu

View all CVEs affecting Tagstoo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers achieve remote code execution on victim systems, allowing complete system compromise, data theft, and lateral movement.

🟠

Likely Case

Attackers execute malicious JavaScript to steal session cookies, perform phishing attacks, or deploy malware on victim browsers.

🟢

If Mitigated

If proper input validation and output encoding are implemented, the XSS payloads are neutralized before execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires user interaction (viewing malicious content) but payload delivery is straightforward through stored XSS.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://tagstoo.sourceforge.io/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to sanitize file uploads and custom tag inputs before processing.

Implement proper input sanitization in Tagstoo source code

Enable Content Security Policy

all

Configure CSP headers to restrict JavaScript execution from untrusted sources.

Add Content-Security-Policy header to web server configuration

🧯 If You Can't Patch

Disable file upload functionality in Tagstoo configuration
Implement web application firewall rules to block XSS payload patterns

🔍 How to Verify

Check if Vulnerable:

Test if malicious JavaScript can be injected through file uploads or custom tags and persists in the application.

Check Version:

Check Tagstoo version in application interface or configuration files

Verify Fix Applied:

Verify that injected scripts are properly sanitized and do not execute when viewed.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload patterns
JavaScript payloads in user input fields
Multiple failed XSS attempts

Network Indicators:

Suspicious JavaScript payloads in HTTP requests
Unexpected external script loads

SIEM Query:

source="web_logs" AND (http_uri CONTAINS "<script>" OR http_body CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2021-47843

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (15.6th percentile)

Published: January 15, 2026

Last Updated: February 5, 2026

🔗 References

https://imgur.com/a/smeAjaW Exploit
https://tagstoo.sourceforge.io/ Product
https://www.exploit-db.com/exploits/49828 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47843, you might also want to check these: