CVE-2019-20798

Published: May 18, 2020Modified: Nov 21, 2024

8.4

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Exploitability: 1.7 / Impact: 6.0

Source: NVD

Description

An XSS issue was discovered in handler_server_info.c in Cherokee through 1.2.104. The requested URL is improperly displayed on the About page in the default configuration of the web server and its administrator panel. The XSS in the administrator panel can be used to reconfigure the server and execute arbitrary commands.

Affected (1)

Products: Cherokee Project: Cherokee

Cherokee Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cherokee Project Cherokee	Up to 1.2.104

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

https://github.com/cherokee/webserver/issues/1227

Source: cve@mitre.org

ExploitThird Party Advisory

https://logicaltrust.net/blog/2019/11/cherokee.html

Source: cve@mitre.org

ExploitThird Party Advisory

https://security.gentoo.org/glsa/202012-09

Source: cve@mitre.org

Third Party Advisory

https://github.com/cherokee/webserver/issues/1227

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://logicaltrust.net/blog/2019/11/cherokee.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://security.gentoo.org/glsa/202012-09

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.