CVE-2020-13959

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2020-13959
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2021-03-10 08:15:00 UTC
Updated2023-11-07 03:17:00 UTC
DescriptionThe default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

Risk And Classification

Problem Types: CWE-79

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Apache Velocity Tools All All All All
Operating System Debian Debian Linux 9.0 All All All

References

ReferenceSourceLinkTags
oss-security - CVE-2020-13959: Velocity Tools XSS Vulnerability MLIST www.openwall.com Mailing List, Third Party Advisory
[SECURITY] [DLA 2597-1] velocity-tools security update MLIST lists.debian.org
Pony Mail! CONFIRM lists.apache.org Mailing List, Vendor Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! lists.apache.org
Pony Mail! lists.apache.org
Pony Mail! lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Patch, Vendor Advisory
Pony Mail! MLIST lists.apache.org
Apache Velocity: Multiple vulnerabilities (GLSA 202107-52) — Gentoo security GENTOO security.gentoo.org
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: This issue was reported and a patch was submitted by Jackson Henry, member of Sakura Samurai.

Legacy QID Mappings

  • 178495 Debian Security Update for velocity-tools (DLA 2597-1)
  • 199648 Ubuntu Security Notification for Velocity Tools Vulnerability (USN-6282-1)
  • 710043 Gentoo Linux Apache Velocity Multiple Vulnerabilities (GLSA 202107-52)
  • 981991 Java (maven) Security Update for org.apache.velocity:velocity-tools (GHSA-fh63-4r66-jc7v)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report