CVE-2020-13972

{"id": "CVE-2020-13972", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2020-09-03T15:15:11.283", "references": [{"url": "http://burninatorsec.blogspot.com/2020/09/cve-2020-13972-xss-via-ssrf-in.html", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://burninatorsec.blogspot.com/2020/09/cve-2020-13972-xss-via-ssrf-in.html", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Enghouse Web Chat 6.2.284.34 allows XSS. When one enters their own domain name in the WebServiceLocation parameter, the response from the POST request is displayed, and any JavaScript returned from the external server is executed in the browser. This is related to CVE-2019-16951."}, {"lang": "es", "value": "Enghouse Web Chat versi\u00f3n 6.2.284.34, permite un ataque de tipo XSS. Cuando uno ingresa su propio nombre de dominio en el par\u00e1metro WebServiceLocation, la respuesta de la petici\u00f3n POST es mostrada, y cualquier JavaScript devuelto desde el servidor externo es ejecutado en el navegador. Esto est\u00e1 relacionado con CVE-2019-16951"}], "lastModified": "2024-11-21T05:02:16.233", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:enghouse:web_chat:6.2.284.34:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "77214FC3-B6F4-4DB5-82E8-4198005F8C43"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}