Vulnerability Description
Abe (aka bitcoin-abe) through 0.7.2, and 0.8pre, allows XSS in __call__ in abe.py because the PATH_INFO environment variable is mishandled during a PageNotFound exception.
CVSS Score
6.1
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitcoin-Abe Project | Bitcoin-Abe | <= 0.7.2 |
Related Weaknesses (CWE)
References
- https://geeknik-labs.comThird Party Advisory
- https://github.com/bitcoin-abe/bitcoin-abe/blob/d33f6e85de74e708e11cabe4ed0246e1PatchThird Party Advisory
- https://github.com/bitcoin-abe/bitcoin-abe/issues/292Broken Link
- https://geeknik-labs.comThird Party Advisory
- https://github.com/bitcoin-abe/bitcoin-abe/blob/d33f6e85de74e708e11cabe4ed0246e1PatchThird Party Advisory
- https://github.com/bitcoin-abe/bitcoin-abe/issues/292Broken Link
FAQ
What is CVE-2020-11944?
CVE-2020-11944 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Abe (aka bitcoin-abe) through 0.7.2, and 0.8pre, allows XSS in __call__ in abe.py because the PATH_INFO environment variable is mishandled during a PageNotFound exception.
How severe is CVE-2020-11944?
CVE-2020-11944 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11944?
Check the references section above for vendor advisories and patch information. Affected products include: Bitcoin-Abe Project Bitcoin-Abe.