CVE-2020-36905

FIBARO System Home Center 5.021 contains a remote file inclusion vulnerability in the undocumented proxy API that allows attackers to include arbitrary client-side scripts. Attackers can exploit the 'url' GET parameter to inject malicious JavaScript and potentially hijack user sessions or manipulate page content.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
VulnCheckCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
Common Weakness Enumeration
References
https://cxsecurity.com/issue/WLB-2020030140
https://exchange.xforce.ibmcloud.com/vulnerabilities/178269
https://packetstorm.news/files/id/156869
https://www.exploit-db.com/exploits/48240
https://www.fibaro.com
https://www.vulncheck.com/advisories/fibaro-system-home-center-remote-file-inclusion-via-proxy-api
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5563.php