Platform
php
Component
geni-portal
CVE-2020-36654 describes a problematic cross-site scripting (XSS) vulnerability discovered in the GENI Portal. This flaw allows attackers to inject malicious scripts through manipulation of the invocationid/invocationuser argument within the portal/www/portal/sliceresource.php file. Affected versions are those prior to the patch identified as 39a96fb4b822bd3497442a96135de498d4a81337. Applying the patch is the recommended solution.
Successful exploitation of CVE-2020-36654 allows an attacker to inject arbitrary JavaScript code into the GENI Portal web application. This can lead to various malicious outcomes, including session hijacking, defacement of the portal, and redirection of users to phishing sites. The attacker could potentially steal sensitive user data or gain unauthorized access to the system. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the portal.
CVE-2020-36654 was published on January 18, 2023. No public proof-of-concept (PoC) code is currently known. The vulnerability's CVSS score is LOW, suggesting a relatively low probability of exploitation in the wild. It is not listed on the CISA KEV catalog at the time of this writing.
Organizations utilizing the GENI Portal software, particularly those with publicly accessible instances, are at risk. Systems with outdated versions of GENI Portal, or those lacking robust input validation and output encoding mechanisms, are especially vulnerable.
• php / web:
grep -r 'invocation_id/invocation_user' /var/www/html/portal/www/portal/sliceresource.php• generic web:
curl -I <GENI Portal URL>/portal/www/portal/sliceresource.php?invocation_id=<script>alert(1)</script>disclosure
Exploit Status
EPSS
0.49% (66% percentiel)
CVSS-vector
The primary mitigation for CVE-2020-36654 is to apply the provided patch: 39a96fb4b822bd3497442a96135de498d4a81337. If immediate patching is not possible, consider implementing input validation and output encoding on the invocationid and invocationuser parameters to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. After applying the patch, verify the fix by attempting to inject a simple JavaScript payload through the invocationid/invocationuser parameter and confirming that it is properly sanitized.
Aplicar el parche 39a96fb4b822bd3497442a96135de498d4a81337 proporcionado por el proveedor para corregir la vulnerabilidad de Cross-Site Scripting (XSS) en el archivo sliceresource.php. Alternativamente, actualizar GENI Portal a una versión que incorpore esta corrección. Revisar el código afectado para asegurar que la entrada del usuario (invocation_id/invocation_user) esté correctamente sanitizada para prevenir futuros ataques XSS.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2020-36654 is a cross-site scripting (XSS) vulnerability in GENI Portal that allows attackers to inject malicious scripts via the invocationid/invocationuser parameter.
You are affected if you are using a version of GENI Portal prior to the patch 39a96fb4b822bd3497442a96135de498d4a81337.
Apply the patch 39a96fb4b822bd3497442a96135de498d4a81337. Consider input validation and output encoding as a temporary measure.
There are currently no confirmed reports of active exploitation of CVE-2020-36654.
Refer to the vulnerability description for the associated VDB identifier (VDB-218475) for more information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.