CVE-2020-13639

{"id": "CVE-2020-13639", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2021-08-31T04:15:10.330", "references": [{"url": "https://labs.integrity.pt/advisories/CVE-2020-13639/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.outsystems.com/platform/", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://labs.integrity.pt/advisories/CVE-2020-13639/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.outsystems.com/platform/", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A stored XSS vulnerability was discovered in the ECT Provider in OutSystems before 2020-09-04, affecting generated applications. It could allow an unauthenticated remote attacker to craft and store malicious Feedback content into /ECT_Provider/, such that when the content is viewed (it can only be viewed by Administrators), attacker-controlled JavaScript will execute in the security context of an administrator's browser. This is fixed in Outsystems 10.0.1005.2, Outsystems 11.9.0 Platform Server, and Outsystems 11.7.0 LifeTime Management Console."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de tipo XSS almacenado en el proveedor ECT de OutSystems antes del 04-09-2020, afectando a las aplicaciones generadas. Podr\u00eda permitir a un atacante remoto no autenticado dise\u00f1ar y almacenar contenido malicioso de Feedback en /ECT_Provider/, de tal manera que cuando el contenido es visualizado (s\u00f3lo puede ser visualizado por los Administradores), el JavaScript controlado por el atacante se ejecutar\u00e1 en el contexto de seguridad del navegador de un administrador. Esto es corregido en Outsystems versi\u00f3n 10.0.1005.2, Outsystems versi\u00f3n 11.9.0 Platform Server y Outsystems versi\u00f3n 11.7.0 LifeTime Management Console"}], "lastModified": "2024-11-21T05:01:39.283", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:outsystems:lifetime_management_console:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "844A1C31-3A1E-4AFD-9577-301197DE82BC", "versionEndExcluding": "11.7.0", "versionStartIncluding": "11"}, {"criteria": "cpe:2.3:a:outsystems:outsystems:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6E2112CC-4D88-458E-88A6-606C51531E46", "versionEndExcluding": "10.0.1005.2", "versionStartIncluding": "10"}, {"criteria": "cpe:2.3:a:outsystems:platform_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "861FDDF7-4E0D-4EA3-909F-E8F4B552CA1E", "versionEndExcluding": "11.9.0", "versionStartIncluding": "11"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}