PT-2020-19266 · Sos · Sos Jobscheduler
Oliver Haufe
·
Published
2020-02-05
·
Updated
2020-02-07
·
CVE-2020-6854
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
SOS JobScheduler versions 1.11 through 1.13.2
Description
A cross-site scripting (XSS) issue allows attackers to inject arbitrary web script or HTML via JSON properties available from the REST API. This affects the JOC Cockpit component.
Recommendations
For SOS JobScheduler versions 1.11 through 1.13.2, consider restricting access to the REST API to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using JSON properties that allow arbitrary web script or HTML injection in the JOC Cockpit component.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sos Jobscheduler