cbcvebase.
CVE-2020-25864
published 2021-04-20

CVE-2020-25864: HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.

PriorityP342medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
6.09%
92.5th percentile
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianconsul< consul 1.8.7+dfsg1-2 (bullseye)consul 1.8.7+dfsg1-2 (bullseye)
github.comhashicorp_consul>= 0 < 1.7.141.7.14
github.comhashicorp_consul>= 1.8.0 < 1.8.101.8.10
github.comhashicorp_consul>= 1.9.0 < 1.9.51.9.5
hashicorpconsul< 1.7.141.7.14
hashicorpconsul>= 0 < 1.8.7+dfsg1-21.8.7+dfsg1-2
hashicorpconsul>= 1.8.0 < 1.8.101.8.10
hashicorpconsul>= 1.9.0 < 1.9.51.9.5

Detection & IOCsextracted from sources · hover to see the quote

url/v1/kv/{{randstr}}%3Fraw
  • Look for GET requests to the Consul KV API endpoint with the '?raw' parameter (URL-encoded as %3Fraw) — this is the attack vector for the XSS payload delivery.
  • Detect responses from the Consul KV raw endpoint that return Content-Type: text/html, which enables XSS payload execution in the browser.
  • Flag HTTP 200 responses from /v1/kv/*?raw that contain script-injection payloads in the body, indicating successful XSS exploitation.
  • Consul versions up to and including 1.9.4 are vulnerable; flag any unpatched instances (fixed in 1.9.5, 1.8.10, and 1.7.14).
  • ·Only the Consul server/agent itself is affected when KV raw mode is accessible; the Consul API client library alone is NOT affected.
  • ·The XSS is triggered specifically through KV raw mode — deployments that do not expose the Consul UI or raw KV endpoint to untrusted users have reduced exposure.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.