CVE-2020-15263

EUVD-2020-1411
In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.0 and fixed in 9.4.4.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
GitHub_MCNA
8 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
Affected Products (NVD)
VendorProductVersion
orchidplatform
9.0.0 ≤
𝑥
< 9.4.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/orchidsoftware/platform/commit/03f9a113b1a70bc5075ce86a918707f0e7d82169
https://github.com/orchidsoftware/platform/security/advisories/GHSA-589w-hccm-265x
https://github.com/orchidsoftware/platform/commit/03f9a113b1a70bc5075ce86a918707f0e7d82169
https://github.com/orchidsoftware/platform/security/advisories/GHSA-589w-hccm-265x