exploitDog

CVE-2020-13821

Опубликовано: 26 авг. 2020

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

An issue was discovered in HiveMQ Broker Control Center 4.3.2. A crafted clientid parameter in an MQTT packet (sent to the Broker) is reflected in the client section of the management console. The attacker's JavaScript is loaded in a browser, which can lead to theft of the session and cookie of the administrator's account of the Broker.

Ссылки

https://payatu.com/advisory/hivemq-mqtt-broker---xss-over-mqtt
Third Party Advisory
https://www.hivemq.com/blog/hivemq-4-3-3-released/
Release Notes
Vendor Advisory
https://payatu.com/advisory/hivemq-mqtt-broker---xss-over-mqtt
Third Party Advisory
https://www.hivemq.com/blog/hivemq-4-3-3-released/
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:hivemq:broker_control_center:4.3.2:*:*:*:*:*:*:*

EPSS

Процентиль: 56%

0.00343

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-9qcc-v828-vgx7

github

больше 3 лет назад

An issue was discovered in HiveMQ Broker Control Center 4.3.2. A crafted clientid parameter in an MQTT packet (sent to the Broker) is reflected in the client section of the management console. The attacker's JavaScript is loaded in a browser, which can lead to theft of the session and cookie of the administrator's account of the Broker.

EPSS

Процентиль: 56%

0.00343

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79