Vulnerability Description
An issue was discovered in RouterNanoHTTPD.java in NanoHTTPD through 2.3.1. The GeneralHandler class implements a basic GET handler that prints debug information as an HTML page. Any web server that extends this class without implementing its own GET handler is vulnerable to reflected XSS, because the GeneralHandler GET handler prints user input passed through the query string without any sanitization.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nanohttpd | Nanohttpd | <= 2.3.1 |
Related Weaknesses (CWE)
References
- https://github.com/NanoHttpd/nanohttpdProductThird Party Advisory
- https://www.vdoo.com/advisoriesThird Party Advisory
- https://github.com/NanoHttpd/nanohttpdProductThird Party Advisory
- https://www.vdoo.com/advisoriesThird Party Advisory
FAQ
What is CVE-2020-13697?
CVE-2020-13697 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An issue was discovered in RouterNanoHTTPD.java in NanoHTTPD through 2.3.1. The GeneralHandler class implements a basic GET handler that prints debug information as an HTML page. Any web server that e...
How severe is CVE-2020-13697?
CVE-2020-13697 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-13697?
Check the references section above for vendor advisories and patch information. Affected products include: Nanohttpd Nanohttpd.