Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNtcXYtOGd4Zy1wZm00
TwitterServer Cross-site Scripting via /histograms endpoint
server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (aka twitter-server) before 20.12.0, in some configurations, allows XSS via the /histograms endpoint.
Permalink: https://github.com/advisories/GHSA-3mqv-8gxg-pfm4JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNtcXYtOGd4Zy1wZm00
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-3mqv-8gxg-pfm4, CVE-2020-35774
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-35774
- https://github.com/twitter/twitter-server/commit/e0aeb87e89a6e6c711214ee2de0dd9f6e5f9cb6c
- https://advisory.checkmarx.net/advisory/CX-2020-4287
- https://github.com/twitter/twitter-server/compare/twitter-server-20.10.0...twitter-server-20.12.0
- https://github.com/advisories/GHSA-3mqv-8gxg-pfm4
Blast Radius: 4.3
Affected Packages
maven:com.twitter:twitter-server_2.12
Dependent packages: 17Dependent repositories: 5
Downloads:
Affected Version Ranges: < 20.12.0
Fixed in: 20.12.0
All affected versions: 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.30.0, 1.31.0, 1.32.0, 17.10.0, 17.11.0, 17.12.0, 18.1.0, 18.2.0, 18.3.0, 18.4.0, 18.5.0, 18.6.0, 18.7.0, 18.8.0, 18.9.0, 18.9.1, 18.10.0, 18.11.0, 18.12.0, 19.1.0, 19.2.0, 19.3.0, 19.4.0, 19.5.0, 19.5.1, 19.6.0, 19.7.0, 19.8.0, 19.9.0, 19.10.0, 19.11.0, 19.12.0, 20.1.0, 20.3.0, 20.4.0, 20.4.1, 20.5.0, 20.6.0, 20.7.0, 20.8.0, 20.8.1, 20.9.0, 20.10.0
All unaffected versions: 20.12.0, 21.1.0, 21.2.0, 21.3.0, 21.4.0, 21.5.0, 21.6.0, 21.8.0, 21.9.0, 21.10.0, 21.11.0, 21.12.0, 22.1.0, 22.2.0, 22.3.0, 22.4.0, 22.7.0, 22.12.0, 23.11.0