Lucene search

MitreCVE-2020-10449

HistoryMar 12, 2020 - 2:15 p.m.

CVE-2020-10449

2020-03-1214:15:17

CWE-79

mitre

web.nvd.nist.gov

cve-2020-10449

reflected xss

chadha phpkb

security vulnerability

admin

web script injection

html injection

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

32.0%

JSON

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-search.php by adding a question mark (?) followed by the payload.

Affected configurations

Nvd

Node

chadhaajayphpkbMatch9.0

VendorProductVersionCPE
chadhaajayphpkb9.0cpe:2.3:a:chadhaajay:phpkb:9.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
chadhaajay	phpkb	9.0	cpe:2.3:a:chadhaajay:phpkb:9.0:::::::*

References

antoniocannito.it/?p=137#uxss

antoniocannito.it/phpkb1#reflected-cross-site-scripting-in-every-admin-page-cve-block-going-from-cve-2020-10391-to-cve-2020-10456

Social References

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

32.0%

JSON

Related for CVE-2020-10449