Vulnerability Details : CVE-2020-22790
Authenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to execute codeby injecting arbitrary web script or HTML via modifying the name of the users. The XSS is executed when an administrator access the logs.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2020-22790
- cpe:2.3:a:safe:fme_server:2020.0:beta:*:*:*:*:*:*
- cpe:2.3:a:safe:fme_server:2019.0:*:*:*:*:*:*:*
- cpe:2.3:a:safe:fme_server:2019.1:*:*:*:*:*:*:*
- cpe:2.3:a:safe:fme_server:2019.2:beta:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-22790
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-22790
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2020-22790
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-22790
-
https://community.safe.com/s/article/FME-Server-Stored-Cross-Site-Scripting-XSS-Vulnerabilities
Known Issue: FME Server Unauthenticated and Authenticated Stored Cross-Site Scripting (XSS) VulnerabilitiesVendor Advisory
-
https://mexicanpentester.com/2020/04/09/vulnerabilities-in-fme-server-versions-2019-2-and-2020-0-beta-and-probably-previous-versions/
Vulnerabilities in FME Server versions 2019.2 and 2020.0 Beta (and probably previous versions) - Ricardo Sanchez MarchandExploit;Third Party Advisory
-
https://community.safe.com/s/article/fme-server-2019-security-update
FME Server 2019 Security UpdateVendor Advisory
Jump to