6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-13959

GHSA ID

GHSA-fh63-4r66-jc7v

EPSS Score

0.88774%

CWE

CWE-79

Published

3/12/2021

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-13959

CVE-2020-13959: Cross-site scripting (XSS) in Apache Velocity Tools

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-13959

GHSA ID

GHSA-fh63-4r66-jc7v

EPSS Score

0.88774%

CWE

CWE-79

Published

3/12/2021

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.velocity.tools:velocity-tools-parent	maven	< 3.1	3.1
org.apache.velocity:velocity-tools	maven	<= 2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unescaped reflection of the 'path' parameter in error pages. The critical code change occurs in VelocityViewServlet.error() method where the vulnerable version directly appended the raw path value to HTML output. The patch adds HTML escaping at this specific location. During exploitation, this method would appear in stack traces when processing invalid template requests containing XSS payloads in the path parameter.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** ****ult *rror p*** *or V*lo*ityVi*w in *p**** V*lo*ity Tools prior to *.* r**l**ts ***k t** vm *il* t**t w*s *nt*r** *s p*rt o* t** URL. *n *tt**k*r **n s*t *n XSS p*ylo** *il* *s t*is vm *il* in t** URL w*i** r*sults in t*is p*ylo** **in* *x**ut

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** r**l**tion o* t** 'p*t*' p*r*m*t*r in *rror p***s. T** *riti**l *o** ***n** o**urs in `V*lo*ityVi*wS*rvl*t.*rror()` m*t*o* w**r* t** vuln*r**l* v*rsion *ir**tly *pp*n*** t** r*w p*t* v*lu* to *TML output. T** p*

6.1

Basic Information

Concerned about an active attack path?

CVE-2020-13959: Cross-site scripting (XSS) in Apache Velocity Tools

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI