CVE-2020-16270 - Vulnerability Details - OpenCVE

OLIMPOKS under 3.3.39 allows Auth/Admin ErrorMessage XSS. Remote Attacker can use discovered vulnerability to inject malicious JavaScript payload to victim’s browsers in context of vulnerable applications. Executed code can be used to steal administrator’s cookies, influence HTML content of targeted application and perform phishing-related attacks. Vulnerable application used in more than 3000 organizations in different sectors from retail to industries.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.2994.

Key SSVC decision points have not yet been added.

Vendors	Products
Olimpoks	Olimpok

Configuration 1 [-]

cpe:2.3:a:olimpoks:olimpok:*:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://bdu.fstec.ru/vul/2020-04623
https://github.com/Security-AVS/CVE-2020-16270
https://olimpoks.ru/oks/forum/olimpoks5.php

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-10-16T13:08:06

Updated: 2024-08-04T13:37:54.198Z

Reserved: 2020-08-03T00:00:00

Link: CVE-2020-16270

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-10-16T14:15:11.720

Modified: 2024-11-21T05:07:04.230

Link: CVE-2020-16270

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "OLIMPOKS under 3.3.39 allows Auth/Admin ErrorMessage XSS. Remote Attacker can use discovered vulnerability to inject malicious JavaScript payload to victim\u2019s browsers in context of vulnerable applications. Executed code can be used to steal administrator\u2019s cookies, influence HTML content of targeted application and perform phishing-related attacks. Vulnerable application used in more than 3000 organizations in different sectors from retail to industries."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-19T18:58:22", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://olimpoks.ru/oks/forum/olimpoks5.php"}, {"tags": ["x_refsource_MISC"], "url": "https://bdu.fstec.ru/vul/2020-04623"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Security-AVS/CVE-2020-16270"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-16270", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OLIMPOKS under 3.3.39 allows Auth/Admin ErrorMessage XSS. Remote Attacker can use discovered vulnerability to inject malicious JavaScript payload to victim\u2019s browsers in context of vulnerable applications. Executed code can be used to steal administrator\u2019s cookies, influence HTML content of targeted application and perform phishing-related attacks. Vulnerable application used in more than 3000 organizations in different sectors from retail to industries."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://olimpoks.ru/oks/forum/olimpoks5.php", "refsource": "MISC", "url": "https://olimpoks.ru/oks/forum/olimpoks5.php"}, {"name": "https://bdu.fstec.ru/vul/2020-04623", "refsource": "MISC", "url": "https://bdu.fstec.ru/vul/2020-04623"}, {"name": "https://github.com/Security-AVS/CVE-2020-16270", "refsource": "MISC", "url": "https://github.com/Security-AVS/CVE-2020-16270"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:37:54.198Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://olimpoks.ru/oks/forum/olimpoks5.php"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bdu.fstec.ru/vul/2020-04623"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Security-AVS/CVE-2020-16270"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-16270", "datePublished": "2020-10-16T13:08:06", "dateReserved": "2020-08-03T00:00:00", "dateUpdated": "2024-08-04T13:37:54.198Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:olimpoks:olimpok:*:*:*:*:*:*:*:*", "matchCriteriaId": "9083ABB4-800D-459B-BB6F-32CB55756A21", "versionEndExcluding": "3.3.39", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OLIMPOKS under 3.3.39 allows Auth/Admin ErrorMessage XSS. Remote Attacker can use discovered vulnerability to inject malicious JavaScript payload to victim\u2019s browsers in context of vulnerable applications. Executed code can be used to steal administrator\u2019s cookies, influence HTML content of targeted application and perform phishing-related attacks. Vulnerable application used in more than 3000 organizations in different sectors from retail to industries."}, {"lang": "es", "value": "OLIMPOKS en 3.3.39 permite Auth/Admin ErrorMessage XSS. El Atacante Remoto puede usar la vulnerabilidad descubierta para inyectar carga \u00fatil JavaScript maliciosa a los navegadores de las v\u00edctimas en el contexto de aplicaciones vulnerables. El c\u00f3digo ejecutado puede utilizarse para robar las cookies del administrador, influir en el contenido HTML de la aplicaci\u00f3n objetivo y realizar ataques relacionados con la suplantaci\u00f3n de identidad (phishing). Aplicaci\u00f3n vulnerable utilizada en m\u00e1s de 3000 organizaciones de diferentes sectores, desde el comercio minorista hasta las industrias"}], "id": "CVE-2020-16270", "lastModified": "2024-11-21T05:07:04.230", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-16T14:15:11.720", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://bdu.fstec.ru/vul/2020-04623"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/Security-AVS/CVE-2020-16270"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://olimpoks.ru/oks/forum/olimpoks5.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://bdu.fstec.ru/vul/2020-04623"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/Security-AVS/CVE-2020-16270"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Vendor Advisory"], "url": "https://olimpoks.ru/oks/forum/olimpoks5.php"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}