6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
76.5%
The default error page for VelocityView in Apache Velocity Tools prior to
3.1 reflects back the vm file that was entered as part of the URL. An
attacker can set an XSS payload file as this vm file in the URL which
results in this payload being executed. XSS vulnerabilities allow attackers
to execute arbitrary JavaScript in the context of the attacked website and
the attacked user. This can be abused to steal session cookies, perform
requests in the name of the victim or for phishing attacks.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | velocity-tools | < 2.0-7ubuntu0.18.04.1~esm1 | UNKNOWN |
ubuntu | 20.04 | noarch | velocity-tools | < 2.0-7ubuntu0.20.04.1 | UNKNOWN |
ubuntu | 16.04 | noarch | velocity-tools | < 2.0-4ubuntu0.1~esm1 | UNKNOWN |
www.openwall.com/lists/oss-security/2021/03/10/2
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13959
launchpad.net/bugs/cve/CVE-2020-13959
lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E
lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3@%3Cuser.velocity.apache.org%3E
lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6@%3Ccommits.velocity.apache.org%3E
lists.apache.org/thread.html/rf9868c564cff7adfd5283563f2309b93b3e496354a211a57503b2f72@%3Cannounce.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2020-13959
security-tracker.debian.org/tracker/CVE-2020-13959
ubuntu.com/security/notices/USN-6282-1
www.openwall.com/lists/oss-security/2021/03/10/2
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
76.5%