Vulnerability Details CVE-2020-22790
Authenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to execute codeby injecting arbitrary web script or HTML via modifying the name of the users. The XSS is executed when an administrator access the logs.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 58.6%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 3.5
References
- https://community.safe.com/s/article/FME-Server-Stored-Cross-Site-Scripting-XSS-Vulnerabilities
- https://community.safe.com/s/article/fme-server-2019-security-update
- https://mexicanpentester.com/2020/04/09/vulnerabilities-in-fme-server-versions-2019-2-and-2020-0-beta-and-probably-previous-versions/
- https://community.safe.com/s/article/FME-Server-Stored-Cross-Site-Scripting-XSS-Vulnerabilities
- https://community.safe.com/s/article/fme-server-2019-security-update
- https://mexicanpentester.com/2020/04/09/vulnerabilities-in-fme-server-versions-2019-2-and-2020-0-beta-and-probably-previous-versions/
Products affected by CVE-2020-22790
-
cpe:2.3:a:safe:fme_server:2019.0
-
cpe:2.3:a:safe:fme_server:2019.1
-
cpe:2.3:a:safe:fme_server:2019.2
-
cpe:2.3:a:safe:fme_server:2020.0