Vulnerability Details CVE-2020-22789
Unauthenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via the login page. The XSS is executed when an administrator accesses the logs.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 61.1%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- https://community.safe.com/s/article/FME-Server-Stored-Cross-Site-Scripting-XSS-Vulnerabilities
- https://community.safe.com/s/article/fme-server-2019-security-update
- https://mexicanpentester.com/2020/04/09/vulnerabilities-in-fme-server-versions-2019-2-and-2020-0-beta-and-probably-previous-versions/
- https://community.safe.com/s/article/FME-Server-Stored-Cross-Site-Scripting-XSS-Vulnerabilities
- https://community.safe.com/s/article/fme-server-2019-security-update
- https://mexicanpentester.com/2020/04/09/vulnerabilities-in-fme-server-versions-2019-2-and-2020-0-beta-and-probably-previous-versions/
Products affected by CVE-2020-22789
-
cpe:2.3:a:safe:fme_server:2019.0
-
cpe:2.3:a:safe:fme_server:2019.1
-
cpe:2.3:a:safe:fme_server:2019.2
-
cpe:2.3:a:safe:fme_server:2020.0