Scan free
LOWCVE-2020-36527CVSS 3.5

CVE-2020-36527: XSS in Server Status

Platform

other

Component

server-status

AI Confidence: mediumNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2020-36527 describes a problematic cross-site scripting (XSS) vulnerability discovered in Server Status. This flaw allows attackers to inject malicious scripts through manipulation of HTTP and SMTP status processing. The vulnerability impacts unknown versions of Server Status and has been publicly disclosed, increasing the risk of exploitation. Mitigation strategies involve input validation and output encoding.

Impact and Attack Scenarios

Successful exploitation of CVE-2020-36527 allows an attacker to inject arbitrary JavaScript code into the Server Status application. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the application's user interface. The attacker could potentially steal sensitive information displayed within the application or redirect users to malicious websites. Given the XSS nature, the impact can range from minor annoyance to significant data compromise, depending on the application's functionality and the attacker's skill.

Exploitation Context

This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. No specific exploit campaigns or KEV listing are currently associated with CVE-2020-36527. The CVSS score of 3.5 (LOW) suggests a relatively low probability of exploitation, but the public disclosure necessitates prompt mitigation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.21% (43% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentserver-status
Vendorunspecified
Affected rangeFixed in
n/a – n/a

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 1451 days since disclosure

Mitigation and Workarounds

Due to the unknown affected versions, a direct upgrade path might not be immediately available. Prioritize implementing robust input validation and output encoding techniques to sanitize user-supplied data before it is displayed. Specifically, carefully validate and sanitize any data received via HTTP or SMTP status updates. Consider implementing a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review and update security configurations to minimize the attack surface. After implementing these mitigations, thoroughly test the application to ensure that XSS vulnerabilities are effectively prevented.

How to fix

Actualizar Server Status a una versión parcheada que solucione la vulnerabilidad XSS. Si no hay actualizaciones disponibles, considerar deshabilitar o reemplazar el componente HTTP Status/SMTP Status. Validar y sanitizar las entradas de usuario para prevenir la inyección de código malicioso.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2020-36527 — XSS in Server Status?

CVE-2020-36527 is a cross-site scripting (XSS) vulnerability in Server Status that allows attackers to inject malicious scripts via HTTP/SMTP status handling.

Am I affected by CVE-2020-36527 in Server Status?

If you are using Server Status and the affected version is unknown, you are potentially at risk. Prioritize implementing input validation and output encoding.

How do I fix CVE-2020-36527 in Server Status?

Upgrade to a patched version if available. If not, implement input validation and output encoding to sanitize user-supplied data.

Is CVE-2020-36527 being actively exploited?

While no active campaigns are confirmed, the public disclosure increases the risk of exploitation. Monitor your systems for suspicious activity.

Where can I find the official Server Status advisory for CVE-2020-36527?

Due to the lack of vendor information, a direct advisory is unavailable. Consult security research websites and forums for updates.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs