CVE-2020-11499 — MEDIUM (6.1)

Vulnerability Description

Firmware Analysis and Comparison Tool (FACT) 3 has Stored XSS when updating analysis details via a localhost web request, as demonstrated by mishandling of the tags and version fields in helperFunctions/mongo_task_conversion.py.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Firmware Analysis And Comparison Tool Project	Firmware Analysis And Comparison Tool	3.0

Related Weaknesses (CWE)

CWE-79

References

https://github.com/fkie-cad/FACT_core/issues/375ExploitPatchThird Party Advisory
https://github.com/fkie-cad/FACT_core/pull/376ExploitThird Party Advisory
https://github.com/fkie-cad/FACT_core/issues/375ExploitPatchThird Party Advisory
https://github.com/fkie-cad/FACT_core/pull/376ExploitThird Party Advisory

FAQ

What is CVE-2020-11499?

CVE-2020-11499 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Firmware Analysis and Comparison Tool (FACT) 3 has Stored XSS when updating analysis details via a localhost web request, as demonstrated by mishandling of the tags and version fields in helperFunctio...

How severe is CVE-2020-11499?

CVE-2020-11499 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-11499?

Check the references section above for vendor advisories and patch information. Affected products include: Firmware Analysis And Comparison Tool Project Firmware Analysis And Comparison Tool.