CVE-2020-13959

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
VendorProductVersion
apachevelocity_tools
𝑥
< 3.1
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
velocity-tools
bookworm
2.0-8
fixed
bullseye
2.0-8
fixed
buster
no-dsa
sid
2.0-9
fixed
trixie
2.0-9
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
velocity-tools
lunar
not-affected
kinetic
ignored
jammy
not-affected
impish
ignored
hirsute
ignored
groovy
ignored
focal
Fixed 2.0-7ubuntu0.20.04.1
released
bionic
Fixed 2.0-7ubuntu0.18.04.1~esm1
released
xenial
Fixed 2.0-4ubuntu0.1~esm1
released
trusty
dne
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2021/03/10/2
https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E
https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E
https://lists.apache.org/thread.html/r97edad0655770342d2d36620fb1de50b142fcd6c4f5c53dd72ca41d7%40%3Cuser.velocity.apache.org%3E
https://lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6%40%3Ccommits.velocity.apache.org%3E
https://lists.apache.org/thread.html/rf9868c564cff7adfd5283563f2309b93b3e496354a211a57503b2f72%40%3Cannounce.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/03/msg00021.html
https://security.gentoo.org/glsa/202107-52
http://www.openwall.com/lists/oss-security/2021/03/10/2
https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E
https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E
https://lists.apache.org/thread.html/r97edad0655770342d2d36620fb1de50b142fcd6c4f5c53dd72ca41d7%40%3Cuser.velocity.apache.org%3E
https://lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6%40%3Ccommits.velocity.apache.org%3E
https://lists.apache.org/thread.html/rf9868c564cff7adfd5283563f2309b93b3e496354a211a57503b2f72%40%3Cannounce.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/03/msg00021.html
https://security.gentoo.org/glsa/202107-52