Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-13959

Опубликовано: 09 мар. 2021
Источник: redhat
CVSS3: 6.5
EPSS Низкий

Описание

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

Отчет

velocity as shipped in Red Hat Enterprise Linux 6, 7, and 8, as well as CodeReady Studio 12, is not affected by this flaw as the affected velocity-tools code is not present in shipped products. This includes those shipped in javapackages-tools and pki-deps as well.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2velocityNot affected
Red Hat BPM Suite 6velocityOut of support scope
Red Hat CodeReady Studio 12velocityNot affected
Red Hat Decision Manager 7velocityNot affected
Red Hat Enterprise Linux 6velocityNot affected
Red Hat Enterprise Linux 7velocityNot affected
Red Hat Enterprise Linux 8javapackages-tools:201801/velocityNot affected
Red Hat Enterprise Linux 8pki-deps:10.6/velocityNot affected
Red Hat Enterprise Linux 9velocityNot affected
Red Hat Fuse 7velocityNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=1937445velocity: XSS in the default error page for VelocityView

EPSS

Процентиль: 87%
0.03207
Низкий

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-13959

CVSS3: 6.1
ubuntu
почти 5 лет назад

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

nvd логотип

CVE-2020-13959

CVSS3: 6.1
nvd
почти 5 лет назад

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

debian логотип

CVE-2020-13959

CVSS3: 6.1
debian
почти 5 лет назад

The default error page for VelocityView in Apache Velocity Tools prior ...

github логотип

GHSA-fh63-4r66-jc7v

CVSS3: 6.1
github
почти 5 лет назад

Cross-site scripting (XSS) in Apache Velocity Tools

EPSS

Процентиль: 87%
0.03207
Низкий

6.5 Medium

CVSS3