Details of VAR-202002-1212

ID

VAR-202002-1212

CVE

CVE-2020-6804

TITLE

gateway Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-002315

DESCRIPTION

A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system. gateway Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.71

sources: NVD: CVE-2020-6804 // JVNDB: JVNDB-2020-002315 // VULHUB: VHN-184929

AFFECTED PRODUCTS

vendor:	mozilla	model:	webthings gateway	scope:	gte	version:	0.3.0	Trust: 1.0
vendor:	mozilla	model:	webthings gateway	scope:	lt	version:	0.12.0	Trust: 1.0
vendor:	mozilla	model:	webthings gateway	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-002315 // NVD: CVE-2020-6804

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-6804
value:	MEDIUM
Trust: 1.0
security@mozilla.org:	CVE-2020-6804
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-002315
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202002-1322
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-184929
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-6804
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-002315
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-184929
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-6804
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
security@mozilla.org:	CVE-2020-6804
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-002315
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-184929 // JVNDB: JVNDB-2020-002315 // CNNVD: CNNVD-202002-1322 // NVD: CVE-2020-6804 // NVD: CVE-2020-6804

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-184929 // JVNDB: JVNDB-2020-002315 // NVD: CVE-2020-6804

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-1322

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202002-1322

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-002315

PATCH

title:	Always redirect to / after login. #2446	url:	https://github.com/mozilla-iot/gateway/pull/2446	Trust: 0.8
title:	WebThings Gateway Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=111095	Trust: 0.6

sources: JVNDB: JVNDB-2020-002315 // CNNVD: CNNVD-202002-1322

EXTERNAL IDS

db:	NVD	id:	CVE-2020-6804	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-002315	Trust: 0.8
db:	CNNVD	id:	CNNVD-202002-1322	Trust: 0.7
db:	VULHUB	id:	VHN-184929	Trust: 0.1

sources: VULHUB: VHN-184929 // JVNDB: JVNDB-2020-002315 // CNNVD: CNNVD-202002-1322 // NVD: CVE-2020-6804

REFERENCES

url:	https://github.com/mozilla-iot/gateway/pull/2446	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6804	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-6804	Trust: 0.8

sources: VULHUB: VHN-184929 // JVNDB: JVNDB-2020-002315 // CNNVD: CNNVD-202002-1322 // NVD: CVE-2020-6804

SOURCES

db:	VULHUB	id:	VHN-184929
db:	JVNDB	id:	JVNDB-2020-002315
db:	CNNVD	id:	CNNVD-202002-1322
db:	NVD	id:	CVE-2020-6804

LAST UPDATE DATE

2024-11-23T23:11:33.693000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-184929	date:	2020-03-03T00:00:00
db:	JVNDB	id:	JVNDB-2020-002315	date:	2020-03-11T00:00:00
db:	CNNVD	id:	CNNVD-202002-1322	date:	2021-01-05T00:00:00
db:	NVD	id:	CVE-2020-6804	date:	2024-11-21T05:36:12.783

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-184929	date:	2020-02-28T00:00:00
db:	JVNDB	id:	JVNDB-2020-002315	date:	2020-03-11T00:00:00
db:	CNNVD	id:	CNNVD-202002-1322	date:	2020-02-28T00:00:00
db:	NVD	id:	CVE-2020-6804	date:	2020-02-28T23:15:11.543