CVE-2020-13959
Cross-site scripting (XSS) in Apache Velocity Tools
6.1
MEDIUM
CVSS 3.1
EPSS 3.2%
描述
The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.
如何修補 CVE-2020-13959
要修補 CVE-2020-13959,請將受影響套件升級到下列已修補版本。
- —升級至 2.0-8 或更新版本
- —升級至 2.0-6+deb9u1 或更新版本
- —升級至 3.1 或更新版本
- —未列出修補版本
CVE-2020-13959 正在被利用嗎?
低 — EPSS 為 3.2%,目前沒有觀察到大規模利用活動。
受影響套件(4)
- from 0, < 2.0-8
- from 0, < 2.0-6+deb9u1
- from 0, < 3.1
- from 0, <= 2.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |