CVE-2020-13959

Name of the Vulnerable Software and Affected Versions Apache Velocity Tools versions prior to 3.1

Description The default error page for VelocityView in Apache Velocity Tools reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL, which results in this payload being executed. This allows attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user, potentially leading to the theft of session cookies, performing requests in the name of the victim, or phishing attacks.

Recommendations For versions prior to 3.1, update to version 3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the default error page for VelocityView to minimize the risk of exploitation. Avoid using user-inputted vm files in the URL until the issue is resolved.