Vulnerability Description
An XSS issue was discovered in handler_server_info.c in Cherokee through 1.2.104. The requested URL is improperly displayed on the About page in the default configuration of the web server and its administrator panel. The XSS in the administrator panel can be used to reconfigure the server and execute arbitrary commands.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cherokee-Project | Cherokee | <= 1.2.104 |
Related Weaknesses (CWE)
References
- https://github.com/cherokee/webserver/issues/1227ExploitThird Party Advisory
- https://logicaltrust.net/blog/2019/11/cherokee.htmlExploitThird Party Advisory
- https://security.gentoo.org/glsa/202012-09Third Party Advisory
- https://github.com/cherokee/webserver/issues/1227ExploitThird Party Advisory
- https://logicaltrust.net/blog/2019/11/cherokee.htmlExploitThird Party Advisory
- https://security.gentoo.org/glsa/202012-09Third Party Advisory
FAQ
What is CVE-2019-20798?
CVE-2019-20798 is a vulnerability with a CVSS score of 8.4 (HIGH). An XSS issue was discovered in handler_server_info.c in Cherokee through 1.2.104. The requested URL is improperly displayed on the About page in the default configuration of the web server and its adm...
How severe is CVE-2019-20798?
CVE-2019-20798 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-20798?
Check the references section above for vendor advisories and patch information. Affected products include: Cherokee-Project Cherokee.