CVE-2020-29455

Опубликовано: 11 дек. 2020

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

A cross-Site Scripting (XSS) vulnerability in this.showInvalid and this.showInvalidCountry in SmartyStreets liveAddressPlugin.js 3.2 allows remote attackers to inject arbitrary web script or HTML via any address parameter (e.g., street or country).

Ссылки

https://github.com/smartystreets-archives
Third Party Advisory
https://jsfiddle.net/smartystreets/Lx2dbsaa/
Third Party Advisory
https://www.guidepointsecurity.com/liveaddressplugin-js-vulnerability-disclosure/
Exploit
Third Party Advisory
https://github.com/smartystreets-archives
Third Party Advisory
https://jsfiddle.net/smartystreets/Lx2dbsaa/
Third Party Advisory
https://www.guidepointsecurity.com/liveaddressplugin-js-vulnerability-disclosure/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:smartystreets:liveaddressplugin.js:3.2:*:*:*:*:*:*:*

EPSS

Процентиль: 64%

0.00472

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-q7hp-c9hf-jfvx

github

больше 3 лет назад