Miggo Logo
Miggo Vulnerability Database
CVE-2020-10203

CVE-2020-10203: Persistent Cross-Site scripting in Nexus Repository Manager

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-10203
GHSA ID
GHSA-3944-787c-f852
EPSS Score
0.5693%
CWE
CWE-79
Published
4/14/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.sonatype.nexus:nexus-coremaven< 3.21.23.21.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves two key phases: 1) Unsanitized input through content selector creation REST endpoint, and 2) Unescaped output in UI rendering. The GHSL report explicitly identifies both the injection vector (REST API creation) and the XSS trigger point (front-end rendering). While no patch code is available, the component structure and vulnerability pattern indicate these are the most likely functions based on Nexus's architecture and standard XSS remediation patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Son*typ* N*xus R*pository ***or* *.**.* *llows XSS.

Reasoning

T** vuln*r**ility involv*s two k*y p**s*s: *) Uns*nitiz** input t*rou** *ont*nt s*l**tor *r**tion R*ST *n*point, *n* *) Un*s**p** output in UI r*n**rin*. T** **SL r*port *xpli*itly i**nti*i*s *ot* t** inj**tion v**tor (R*ST *PI *r**tion) *n* t** XSS