Cross site scripting

🗓️ 10 Mar 2021 08:15:00Reported by PRIOn knowledge baseType

The default error page in Apache Velocity Tools prior to 3.1 reflects back the vm file entered in the URL, allowing XSS attack to execute arbitrary JavaScript and perform request on behalf of the victim

Reporter	Title	Published	Views	Family All 30
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Apache and Node.js affect IBM Spectrum Protect Plus	24 Apr 202106:55	–	ibm
CNNVD	Iteris Apache Velocity 跨站脚本漏洞	10 Mar 202100:00	–	cnnvd
CVE	CVE-2020-13959	10 Mar 202108:00	–	cve
Cvelist	CVE-2020-13959 Velocity Tools XSS Vulnerability	10 Mar 202108:00	–	cvelist
Debian	[SECURITY] [DLA 2597-1] velocity-tools security update	17 Mar 202116:30	–	debian
Debian CVE	CVE-2020-13959	10 Mar 202108:00	–	debiancve
Tenable Nessus	Debian DLA-2597-1 : velocity-tools security update	19 Mar 202100:00	–	nessus
Tenable Nessus	GLSA-202107-52 : Apache Velocity: Multiple vulnerabilities	29 Oct 202100:00	–	nessus
Tenable Nessus	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS : Velocity Tools vulnerability (USN-6282-1)	10 Aug 202300:00	–	nessus
Tenable Nessus	Unity Linux 20.1070e Security Update: velocity-tools (UTSA-2026-016718)	22 May 202600:00	–	nessus

Source	Link
lists	www.lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E
openwall	www.openwall.com/lists/oss-security/2021/03/10/2
lists	www.lists.debian.org/debian-lts-announce/2021/03/msg00021.html
security	www.security.gentoo.org/glsa/202107-52
lists	www.lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6%40%3Ccommits.velocity.apache.org%3E
lists	www.lists.apache.org/thread.html/rf9868c564cff7adfd5283563f2309b93b3e496354a211a57503b2f72%40%3Cannounce.apache.org%3E
lists	www.lists.apache.org/thread.html/r97edad0655770342d2d36620fb1de50b142fcd6c4f5c53dd72ca41d7%40%3Cuser.velocity.apache.org%3E

07 Nov 2023 03:17Current

6.6Medium risk

Vulners AI Score6.6

EPSS0.03207