Vulnerability Details : CVE-2020-13697
An issue was discovered in RouterNanoHTTPD.java in NanoHTTPD through 2.3.1. The GeneralHandler class implements a basic GET handler that prints debug information as an HTML page. Any web server that extends this class without implementing its own GET handler is vulnerable to reflected XSS, because the GeneralHandler GET handler prints user input passed through the query string without any sanitization.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2020-13697
- cpe:2.3:a:nanohttpd:nanohttpd:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-13697
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 41 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-13697
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2020-13697
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-13697
-
https://github.com/NanoHttpd/nanohttpd
GitHub - NanoHttpd/nanohttpd: Tiny, easily embeddable HTTP server in Java.Product;Third Party Advisory
-
https://www.vdoo.com/advisories
Vdoo | CVE Security AdvisoriesThird Party Advisory
Jump to