CVE-2020-13697
NanoHTTPD Cross-site Scripting vulnerability
EPSS 0.22%
Description
An issue was discovered in RouterNanoHTTPD.java in NanoHTTPD through 2.3.1. The GeneralHandler class implements a basic GET handler that prints debug information as an HTML page. Any web server that extends this class without implementing its own GET handler is vulnerable to reflected XSS, because the GeneralHandler GET handler prints user input passed through the query string without any sanitization.
How to fix CVE-2020-13697
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2020-13697 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 2.3.1
References (5)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-13697
- PATCHgithub.com/NanoHttpd/nanohttpd
- WEBgithub.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a01e81/nanolets/pom.xml
- WEBgithub.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a01e81/nanolets/src/main/java/org/nanohttpd/router/RouterNanoHTTPD.java