Vulnerability Description
A stored XSS vulnerability was discovered in the ECT Provider in OutSystems before 2020-09-04, affecting generated applications. It could allow an unauthenticated remote attacker to craft and store malicious Feedback content into /ECT_Provider/, such that when the content is viewed (it can only be viewed by Administrators), attacker-controlled JavaScript will execute in the security context of an administrator's browser. This is fixed in Outsystems 10.0.1005.2, Outsystems 11.9.0 Platform Server, and Outsystems 11.7.0 LifeTime Management Console.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Outsystems | Lifetime Management Console | >= 11, < 11.7.0 |
| Outsystems | Outsystems | >= 10, < 10.0.1005.2 |
| Outsystems | Platform Server | >= 11, < 11.9.0 |
Related Weaknesses (CWE)
References
- https://labs.integrity.pt/advisories/CVE-2020-13639/Third Party Advisory
- https://www.outsystems.com/platform/Product
- https://labs.integrity.pt/advisories/CVE-2020-13639/Third Party Advisory
- https://www.outsystems.com/platform/Product
FAQ
What is CVE-2020-13639?
CVE-2020-13639 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A stored XSS vulnerability was discovered in the ECT Provider in OutSystems before 2020-09-04, affecting generated applications. It could allow an unauthenticated remote attacker to craft and store ma...
How severe is CVE-2020-13639?
CVE-2020-13639 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-13639?
Check the references section above for vendor advisories and patch information. Affected products include: Outsystems Lifetime Management Console, Outsystems Outsystems, Outsystems Platform Server.