CVE-2020-13697

Name of the Vulnerable Software and Affected Versions NanoHTTPD versions through 2.3.1

Description An issue was discovered in RouterNanoHTTPD.java. The GeneralHandler class implements a basic GET handler that prints debug information as an HTML page. Any web server that extends this class without implementing its own GET handler is vulnerable to reflected XSS, because the GeneralHandler GET handler prints user input passed through the query string without any sanitization.

Recommendations For versions through 2.3.1, consider implementing a custom GET handler to sanitize user input passed through the query string, or restrict access to the GeneralHandler class to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.