CVE-2020-24902
published 2021-01-07CVE-2020-24902: Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit…
PriorityP339medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
2.85%
85.0th percentile
Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| quixplorer_project | quixplorer | < 2.4.1 | 2.4.1 |
| quixplorer_project | quixplorer | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Quixplorer <=2.4.1 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2020-24902 [MEDIUM] Quixplorer <=2.4.1 - Cross-Site Scripting
Quixplorer =2.4.2) or apply the vendor-supplied patch to mitigate this vulnerability.
reference:
- https://dl.packetstormsecurity.net/1804-exploits/quixplorer241beta-xss.txt
- https://nvd.nist.gov/vuln/detail/CVE-2020-24902
- https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2020-24902
cwe-id: CWE-79
epss-score: 0.06813
epss-percentile: 0.91347
cpe: cpe:2.3:a:quixplorer_project:quixplorer:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: quixplorer_project
product: quixplorer
shodan-query:
- http.title:"My Download Server"
- http.title:"my download server"
fofa-query: title="my download server"
google-query:
- intitle:"My Download Server"
- intitle:"my download server"
tags:
No writeups or analysis indexed.
2021-01-07
Published