Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXByNW0tNHcyMi04NDgz
NanoHTTPD Cross-site Scripting vulnerability
An issue was discovered in RouterNanoHTTPD.java in NanoHTTPD through 2.3.1. The GeneralHandler class implements a basic GET handler that prints debug information as an HTML page. Any web server that extends this class without implementing its own GET handler is vulnerable to reflected XSS, because the GeneralHandler GET handler prints user input passed through the query string without any sanitization.
Permalink: https://github.com/advisories/GHSA-pr5m-4w22-8483JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXByNW0tNHcyMi04NDgz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: about 1 year ago
Identifiers: GHSA-pr5m-4w22-8483, CVE-2020-13697
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-13697
- https://www.vdoo.com/advisories/#CVE-2020-13697
- https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a01e81/nanolets/pom.xml
- https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a01e81/nanolets/src/main/java/org/nanohttpd/router/RouterNanoHTTPD.java
- https://github.com/advisories/GHSA-pr5m-4w22-8483
Blast Radius: 0.0
Affected Packages
maven:org.nanohttpd:nanohttpd-nanolets
Dependent packages: 7Dependent repositories: 91
Downloads:
Affected Version Ranges: <= 2.3.1
No known fixed version
All affected versions: 2.2.0, 2.3.0, 2.3.1