PT-2020-13892 · Kumbiaphp · Kumbiaphp

Jenaye

Published

2020-06-15

Updated

2022-05-24

CVE-2020-14146

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions KumbiaPHP versions 1.1.1 and earlier

Description The issue allows for XSS via the "public/pages/kumbia" PATH INFO, specifically when KumbiaPHP is in Development mode.

Recommendations For versions 1.1.1 and earlier, consider disabling Development mode to mitigate the risk of exploitation. Restrict access to the "public/pages/kumbia" PATH INFO to minimize the risk of XSS attacks. Avoid using the PATH INFO variable in the affected API endpoint until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-14146

GHSA-X6GQ-VR59-4Q5Q

Affected Products

Kumbiaphp

PT-2020-13892 · Kumbiaphp · Kumbiaphp

CVE-2020-14146

Weakness Enumeration

Related Identifiers

Affected Products

References · 7