Unauthenticated Stored XSS in FME Server: Remote Admin Privilege Escalation via Login Page

Unauthenticated Stored XSS in FME Server: Remote Admin Privilege Escalation via Login Page

CVE-2020-22789 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Unauthenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via the login page. The XSS is executed when an administrator accesses the logs.

Learn more about our Web App Pen Testing.