CVE-2020-13959

NameCVE-2020-13959
DescriptionThe default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2597-1
NVD severitymedium
Debian Bugs985221

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
velocity-tools (PTS)stretch2.0-6vulnerable
stretch (security)2.0-6+deb9u1fixed
buster2.0-7vulnerable
bullseye, sid2.0-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
velocity-toolssourcestretch2.0-6+deb9u1DLA-2597-1
velocity-toolssource(unstable)2.0-8985221

Notes

[buster] - velocity-tools <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2021/03/10/2
Fixed by: https://github.com/apache/velocity-tools/commit/e141828a4eb03e4b0224535eed12b5c463a24152

Search for package or bug name: Reporting problems