Lucene search

[email protected]CVE-2020-1949

HistoryApr 01, 2020 - 7:15 p.m.

CVE-2020-1949

2020-04-0119:15:14

CWE-79

[email protected]

web.nvd.nist.gov

sling cms

cve-2020-1949

reflected xss

security vulnerability

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.002 Low

EPSS

Percentile

56.1%

JSON

Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks.

Affected configurations

NVD

Node

apachesling_cmsRange<0.16.0

CPENameOperatorVersion
apache:sling_cmsapache sling cmslt0.16.0

CPE	Name	Operator	Version
apache:sling_cms	apache sling cms	lt	0.16.0

CNA Affected

[
  {
    "product": "Apache Sling",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Apache Sling CMS 0.14.0 and previous releases"
      }
    ]
  }
]

References

s.apache.org/CVE-2020-1949

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.002 Low

EPSS

Percentile

56.1%

JSON

Related for CVE-2020-1949

cvelist1 prion1 nvd1 osv1