CVE-2020-26221 - OpenCVE

touchbase.ai before version 2.0 is vulnerable to Cross-Site Scripting (XSS). The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser action. The issue is patched in version 2.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Touchbase.ai Project	Touchbase.ai

Configuration 1 [-]

cpe:2.3:a:touchbase.ai_project:touchbase.ai:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-jc3v-h36h-6mx3

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-11-11T22:20:12

Updated: 2024-08-04T15:49:07.286Z

Reserved: 2020-10-01T00:00:00

Link: CVE-2020-26221

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-11-11T23:15:11.743

Modified: 2020-11-17T17:22:13.523

Link: CVE-2020-26221

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "touchbase.ai", "vendor": "puncsky", "versions": [{"status": "affected", "version": "< 2.0"}]}], "descriptions": [{"lang": "en", "value": "touchbase.ai before version 2.0 is vulnerable to Cross-Site Scripting (XSS). The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser action. The issue is patched in version 2.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-11T22:20:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-jc3v-h36h-6mx3"}], "source": {"advisory": "GHSA-jc3v-h36h-6mx3", "discovery": "UNKNOWN"}, "title": "Stored Cross Site Scripting in touchbase.ai", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26221", "STATE": "PUBLIC", "TITLE": "Stored Cross Site Scripting in touchbase.ai"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "touchbase.ai", "version": {"version_data": [{"version_value": "< 2.0"}]}}]}, "vendor_name": "puncsky"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "touchbase.ai before version 2.0 is vulnerable to Cross-Site Scripting (XSS). The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser action. The issue is patched in version 2.0."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-jc3v-h36h-6mx3", "refsource": "CONFIRM", "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-jc3v-h36h-6mx3"}]}, "source": {"advisory": "GHSA-jc3v-h36h-6mx3", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:49:07.286Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-jc3v-h36h-6mx3"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-26221", "datePublished": "2020-11-11T22:20:12", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:49:07.286Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:touchbase.ai_project:touchbase.ai:*:*:*:*:*:*:*:*", "matchCriteriaId": "30CC5E42-0D4C-45BD-B3FA-072DDE3FBA5D", "versionEndExcluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "touchbase.ai before version 2.0 is vulnerable to Cross-Site Scripting (XSS). The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser action. The issue is patched in version 2.0."}, {"lang": "es", "value": "touchbase.ai anterior a versi\u00f3n 2.0 es vulnerable a Cross-Site Scripting (XSS). La vulnerabilidad permite a un atacante enviar c\u00f3digo JavaScript malicioso que podr\u00eda resultar en el secuestro de los tokens de cookies y sesi\u00f3n del usuario, redireccionar al usuario a una p\u00e1gina web maliciosa y realizar una acci\u00f3n no deseada del navegador. El problema es parcheado en la versi\u00f3n 2.0"}], "id": "CVE-2020-26221", "lastModified": "2020-11-17T17:22:13.523", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-11-11T23:15:11.743", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-jc3v-h36h-6mx3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}