CVE-2020-13959

Опубликовано: 10 мар. 2021

Источник: ubuntu

Приоритет: medium

CVSS2: 4.3

CVSS3: 6.1

Описание

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

Релиз	Статус	Примечание
bionic	ignored	end of standard support, was needs-triage
devel	not-affected	2.0-8
esm-apps/bionic	released	2.0-7ubuntu0.18.04.1~esm1
esm-apps/focal	released	2.0-7ubuntu0.20.04.1
esm-apps/jammy	not-affected	2.0-8
esm-apps/xenial	released	2.0-4ubuntu0.1~esm1
esm-infra-legacy/trusty	DNE
focal	released	2.0-7ubuntu0.20.04.1
groovy	ignored	end of life
hirsute	ignored	end of life

Показывать по

Ссылки на источники

4.3 Medium

CVSS2

6.1 Medium

CVSS3

Связанные уязвимости

CVE-2020-13959

CVSS3: 6.5

redhat

почти 5 лет назад

CVE-2020-13959

CVSS3: 6.1

nvd

почти 5 лет назад

CVE-2020-13959

CVSS3: 6.1

debian

почти 5 лет назад

The default error page for VelocityView in Apache Velocity Tools prior ...

GHSA-fh63-4r66-jc7v

CVSS3: 6.1

github

почти 5 лет назад

Cross-site scripting (XSS) in Apache Velocity Tools

4.3 Medium

CVSS2

6.1 Medium

CVSS3

CVE-2020-13959

Описание

Пакет velocity-tools

Ссылки на источники

Связанные уязвимости