CVE-2019-20798 — Cross-site Scripting in Cherokee

CWE-79 — Cross-site Scripting6 documents4 sources

Severity

8.4HIGHNVD

EPSS

0.9%

top 24.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cherokee-project Cherokee

Timeline

PublishedMay 18

Latest updateMay 24

Description

An XSS issue was discovered in handler_server_info.c in Cherokee through 1.2.104. The requested URL is improperly displayed on the About page in the default configuration of the web server and its administrator panel. The XSS in the administrator panel can be used to reconfigure the server and execute arbitrary commands.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:HExploitability: 1.7 | Impact: 6.0

Affected Packages1 packages

▶NVDcherokee-project/cherokee1.2.104

🔴Vulnerability Details

GHSA

GHSA-926v-x6q7-4hcv: An XSS issue was discovered in handler_server_info↗2022-05-24

▶

CVEList

CVE-2019-20798: An XSS issue was discovered in handler_server_info↗2020-05-17

▶

💬Community

Bugzilla

CVE-2019-20798 cherokee: XSS in the administrator panel↗2020-05-25

▶

Bugzilla

CVE-2019-20798 cherokee: XSS in the administrator panel [fedora-all]↗2020-05-25

▶

Bugzilla

CVE-2019-20798 cherokee: XSS in the administrator panel [epel-6]↗2020-05-25

▶