CVE-2020-26505

{"id": "CVE-2020-26505", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2020-11-05T17:15:12.443", "references": [{"url": "https://www.marmind.com/en/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www2.deloitte.com/de/de/pages/risk/articles/marmind-xss.html?nc=1", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.marmind.com/en/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www2.deloitte.com/de/de/pages/risk/articles/marmind-xss.html?nc=1", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A Stored Cross-Site Scripting (XSS) vulnerability in the \u201cMarmind\u201d web application with version 4.1.141.0 allows an attacker to inject code that will later be executed by legitimate users when they open the assets containing the JavaScript code. This would allow an attacker to perform unauthorized actions in the application on behalf of legitimate users or spread malware via the application. By using the \u201cAssets Upload\u201d function, an attacker can abuse the upload function to upload a malicious PDF file containing a stored XSS."}, {"lang": "es", "value": "Una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado en la aplicaci\u00f3n web \"Marmind\" con versi\u00f3n 4.1.141.0, permite a un atacante inyectar c\u00f3digo que luego ser\u00e1 ejecutado por usuarios leg\u00edtimos cuando abran los activos que contienen el c\u00f3digo JavaScript. Esto permitir\u00eda a un atacante llevar a cabo acciones no autorizadas en la aplicaci\u00f3n en nombre de usuarios leg\u00edtimos o difundir malware por medio de la aplicaci\u00f3n. Al usar la funci\u00f3n \"Assets Upload\", un atacante puede abusar de la funci\u00f3n de carga para cargar un archivo PDF malicioso que contenga una vulnerabilidad de tipo XSS almacenado"}], "lastModified": "2024-11-21T05:19:55.293", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:marmind:marmind:4.1.141.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "49F5DD96-2509-4803-A458-9382C87879AB"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}