CVE-2020-26282

Name of the Vulnerable Software and Affected Versions BrowserUp Proxy versions prior to 2.1.2

Description A Server-Side Template Injection was identified in BrowserUp Proxy, enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE). This issue allows attackers to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file. The vulnerability is especially concerning when BrowserUp Proxy is embedded in Selenium tests.

Recommendations For versions prior to 2.1.2, upgrade to version 2.1.2 or higher to resolve the issue. As a temporary workaround, consider restricting access to the proxy server to minimize the risk of exploitation. Avoid using the vulnerable Java EL expressions in the affected proxy server until the issue is resolved.