Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-25864 — Cross-site Scripting in Hashicorp Consul

CWE-79 — Cross-site Scripting8 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

83.3%

top 0.72%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Hashicorp Consul Github.com Hashicorp Consul Debian Consul

Timeline

PublishedApr 20

Latest updateAug 20

Description

HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDhashicorp/consul1.8.0 — 1.8.10+2

▶Gogithub.com/hashicorp_consul1.8.0 — 1.8.10+2

▶Debianhashicorp/consul< 1.8.7+dfsg1-2

▶debiandebian/consul< consul 1.8.7+dfsg1-2 (bullseye)

🔴Vulnerability Details

OSV

HashiCorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul↗2024-08-20

▶

OSV

HashiCorp Consul Cross-site Scripting vulnerability↗2022-05-24

▶

GHSA

HashiCorp Consul Cross-site Scripting vulnerability↗2022-05-24

▶

OSV

CVE-2020-25864: HashiCorp Consul and Consul Enterprise up to version 1↗2021-04-20

▶

💥Exploits & PoCs

Nuclei

HashiCorp Consul/Consul Enterprise <=1.9.4 - Cross-Site Scripting

▶

📋Vendor Advisories

Red Hat

consul: specially crafted KV entry could be used to perform a XSS attack↗2021-04-14

▶

Debian

CVE-2020-25864: consul - HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mo...↗2020

▶