Miggo Logo

CVE-2020-13959: Cross-site scripting (XSS) in Apache Velocity Tools

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.88774%
Published
3/12/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.velocity.tools:velocity-tools-parentmaven< 3.13.1
org.apache.velocity:velocity-toolsmaven<= 2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped reflection of the 'path' parameter in error pages. The critical code change occurs in VelocityViewServlet.error() method where the vulnerable version directly appended the raw path value to HTML output. The patch adds HTML escaping at this specific location. During exploitation, this method would appear in stack traces when processing invalid template requests containing XSS payloads in the path parameter.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** ****ult *rror p*** *or V*lo*ityVi*w in *p**** V*lo*ity Tools prior to *.* r**l**ts ***k t** vm *il* t**t w*s *nt*r** *s p*rt o* t** URL. *n *tt**k*r **n s*t *n XSS p*ylo** *il* *s t*is vm *il* in t** URL w*i** r*sults in t*is p*ylo** **in* *x**ut

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** r**l**tion o* t** 'p*t*' p*r*m*t*r in *rror p***s. T** *riti**l *o** ***n** o**urs in `V*lo*ityVi*wS*rvl*t.*rror()` m*t*o* w**r* t** vuln*r**l* v*rsion *ir**tly *pp*n*** t** r*w p*t* v*lu* to *TML output. T** p*