Authenticated Stored XSS in FME Server: Remote Code Execution via User Name Modification in Logs

Authenticated Stored XSS in FME Server: Remote Code Execution via User Name Modification in Logs

CVE-2020-22790 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Authenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to execute codeby injecting arbitrary web script or HTML via modifying the name of the users. The XSS is executed when an administrator access the logs.

Learn more about our Web App Pen Testing.