CVE-2020-26517

Опубликовано: 08 июн. 2021

Источник: nvd

CVSS3: 4.8

CVSS2: 3.5

EPSS Низкий

Описание

A cross-site scripting (XSS) issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. It is possible to perform XSS attacks through using the WebDAV functionality to upload files to a project (Authn users), using the users import functionality (Admin only), and changing the login text in the application configuration (Admin only).

Ссылки

https://intland.com/codebeamer/application-lifecycle-management/
Vendor Advisory
https://www.compass-security.com/fileadmin/Research/Advisories/2021-10_CSNC-2020-012-codebeamer_ALM_XSS.txt
Exploit
Third Party Advisory
https://intland.com/codebeamer/application-lifecycle-management/
Vendor Advisory
https://www.compass-security.com/fileadmin/Research/Advisories/2021-10_CSNC-2020-012-codebeamer_ALM_XSS.txt
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:intland:codebeamer:10.0.0:-:*:*:*:*:*:*

cpe:2.3:a:intland:codebeamer:10.0.0:prerelease4:*:*:*:*:*:*

cpe:2.3:a:intland:codebeamer:10.0.0:rc1:*:*:*:*:*:*

cpe:2.3:a:intland:codebeamer:10.0.0:sp1:*:*:*:*:*:*

cpe:2.3:a:intland:codebeamer:10.0.0:sp2:*:*:*:*:*:*

cpe:2.3:a:intland:codebeamer:10.0.1:sp1:*:*:*:*:*:*

cpe:2.3:a:intland:codebeamer:10.1.0:-:*:*:*:*:*:*

cpe:2.3:a:intland:codebeamer:10.1.0:sp1:*:*:*:*:*:*

cpe:2.3:a:intland:codebeamer:10.1.0:sp2:*:*:*:*:*:*

cpe:2.3:a:intland:codebeamer:10.1.0:sp3:*:*:*:*:*:*

cpe:2.3:a:intland:codebeamer:10.1.0:sp4:*:*:*:*:*:*

cpe:2.3:a:intland:codebeamer:21.04:*:*:*:*:*:*:*

EPSS

Процентиль: 54%

0.0031

Низкий

4.8 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-rj65-wgxg-fc58