CVE-2020-26505

Published: Nov 5, 2020Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

A Stored Cross-Site Scripting (XSS) vulnerability in the “Marmind” web application with version 4.1.141.0 allows an attacker to inject code that will later be executed by legitimate users when they open the assets containing the JavaScript code. This would allow an attacker to perform unauthorized actions in the application on behalf of legitimate users or spread malware via the application. By using the “Assets Upload” function, an attacker can abuse the upload function to upload a malicious PDF file containing a stored XSS.

Affected (1)

Products: Marmind: Marmind

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Marmind Marmind	Version 4.1.141.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://www.marmind.com/en/

Source: cve@mitre.org

Vendor Advisory

https://www2.deloitte.com/de/de/pages/risk/articles/marmind-xss.html?nc=1

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.marmind.com/en/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www2.deloitte.com/de/de/pages/risk/articles/marmind-xss.html?nc=1

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.