Lucene search

[email protected]CVE-2020-36324

HistoryApr 21, 2021 - 8:15 p.m.

CVE-2020-36324

2021-04-2120:15:36

CWE-79

[email protected]

web.nvd.nist.gov

165

cve-2020-36324

wikimedia

quarry

analytics

xss

security vulnerability

nvd

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

29.5%

JSON

Wikimedia Quarry analytics-quarry-web before 2020-12-15 allows Reflected XSS because app.py does not explicitly set the application/json content type.

Affected configurations

NVD

Node

wikimediaanalytics-quarry-webRange<2020-12-15

CPENameOperatorVersion
wikimedia:analytics-quarry-webwikimedia analytics-quarry-weblt2020-12-15

CPE	Name	Operator	Version
wikimedia:analytics-quarry-web	wikimedia analytics-quarry-web	lt	2020-12-15

References

github.com/wikimedia/analytics-quarry-web/commit/4b7e1d6a3a52ec6cf826a971135a38b0f74785d2

quarry.wmflabs.org/

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

29.5%

JSON

Related for CVE-2020-36324

prion1 osv1 cvelist1 cnvd1 nvd1