CVE-2020-13697 – org.nanohttpd:nanohttpd-nanolets

Package

Manager: maven
Name: org.nanohttpd:nanohttpd-nanolets
Vulnerable Version: >=0 <=2.3.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00216 pctl0.44177

Details

NanoHTTPD Cross-site Scripting vulnerability An issue was discovered in RouterNanoHTTPD.java in NanoHTTPD through 2.3.1. The GeneralHandler class implements a basic GET handler that prints debug information as an HTML page. Any web server that extends this class without implementing its own GET handler is vulnerable to reflected XSS, because the GeneralHandler GET handler prints user input passed through the query string without any sanitization.

Metadata

Created: 2021-02-25T16:32:34Z
Modified: 2023-09-12T16:37:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-pr5m-4w22-8483/GHSA-pr5m-4w22-8483.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-pr5m-4w22-8483
Finding: F008
Auto approve: 1