CVE-2020-11944

2020-04-2022:15:13

Google

osv.dev

6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

43.9%

JSON

Abe (aka bitcoin-abe) through 0.7.2, and 0.8pre, allows XSS in call in abe.py because the PATH_INFO environment variable is mishandled during a PageNotFound exception.

CPENameOperatorVersion
bitcoin-abeeq0.7.1
bitcoin-abeeq0.6
bitcoin-abeeq0.4
bitcoin-abeeq0.5
bitcoin-abeeq0.7.2
bitcoin-abeeq0.7

Name	Operator	Version
bitcoin-abe	eq	0.7.1
bitcoin-abe	eq	0.6
bitcoin-abe	eq	0.4
bitcoin-abe	eq	0.5
bitcoin-abe	eq	0.7.2
bitcoin-abe	eq	0.7

References

geeknik-labs.com

github.com/bitcoin-abe/bitcoin-abe/blob/d33f6e85de74e708e11cabe4ed0246e12025c726/Abe/abe.py#L253-L254

github.com/bitcoin-abe/bitcoin-abe/issues/292