Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2020-13959

Disclosure Date: March 10, 2021 •

CVE-2020-13959 CVSS v3 Base Score: 6.1

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

6.1 Medium

Impact Score:

2.7

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Changed

Confidentiality (C):

Low

Integrity (I):

Low

Availability (A):

None

Vendors

apache,
debian

Products

debian linux 9.0,
velocity tools

References

Canonical

CVE-2020-13959 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13959)

Advisory

https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E

[velocity-user] 20210310 CVE-2020-13959: Velocity Tools XSS Vulnerability (https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3@%3Cuser.velocity.apache.org%3E)

[velocity-commits] 20210310 [velocity-site] 01/01: CVE announcement (https://lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6@%3Ccommits.velocity.apache.org%3E)

[announce] 20210310 CVE-2020-13959: Velocity Tools XSS Vulnerability (https://lists.apache.org/thread.html/rf9868c564cff7adfd5283563f2309b93b3e496354a211a57503b2f72@%3Cannounce.apache.org%3E)

[oss-security] 20210309 CVE-2020-13959: Velocity Tools XSS Vulnerability (http://www.openwall.com/lists/oss-security/2021/03/10/2)

[debian-lts-announce] 20210317 [SECURITY] [DLA 2597-1] velocity-tools security update (https://lists.debian.org/debian-lts-announce/2021/03/msg00021.html)

[velocity-user] 20210318 Re: CVE-2020-13959: Velocity Tools XSS Vulnerability (https://lists.apache.org/thread.html/r97edad0655770342d2d36620fb1de50b142fcd6c4f5c53dd72ca41d7@%3Cuser.velocity.apache.org%3E)

GLSA-202107-52 (https://security.gentoo.org/glsa/202107-52)

Rapid7

Unknown

CVE-2020-13959

Unknown

Unknown

Required

None

Network

CVE-2020-13959

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Advisory

Additional Info

Technical Analysis

Unknown

CVE-2020-13959

Unknown

Unknown

Required

None

Network

CVE-2020-13959

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Advisory

Additional Info

Technical Analysis

Quick Cookie Notification