Plataforma
java
Componente
indeedeng/util
Corrigido em
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.20
1.0.21
1.0.22
1.0.23
1.0.24
1.0.25
1.0.26
1.0.27
1.0.28
1.0.29
1.0.30
1.0.31
1.0.32
1.0.33
1.0.34
CVE-2020-36634 describes a problematic cross-site scripting (XSS) vulnerability discovered in Indeed Engineering util. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability affects versions 1.0.0 through 1.0.33, and a fix is available in version 1.0.34.
Successful exploitation of CVE-2020-36634 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to the theft of sensitive information, such as session cookies, which could be used to impersonate the user. Attackers could also modify the content of the web page, potentially redirecting users to malicious websites or displaying misleading information. The impact is primarily focused on user-facing components of the application, and the blast radius depends on the sensitivity of the data handled by the application.
CVE-2020-36634 was published on December 27, 2022. While no active exploitation campaigns have been publicly reported, the presence of a publicly known XSS vulnerability increases the risk of opportunistic attacks. There are no known public proof-of-concept exploits available at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations using Indeed Engineering util in their applications, particularly those handling sensitive user data, are at risk. Shared hosting environments where multiple applications share the same infrastructure are also at increased risk, as a vulnerability in one application could potentially be exploited to compromise others.
• java / server:
# Check for vulnerable versions of Indeed Engineering util
find / -name "varexport-1.0.x.jar" -print -quit• generic web:
# Check response headers for potential XSS indicators
curl -I <application_url>discovery
disclosure
Status do Exploit
EPSS
0.30% (percentil 53%)
Vetor CVSS
The primary mitigation for CVE-2020-36634 is to upgrade Indeed Engineering util to version 1.0.34 or later, which includes the fix (patch c0952a9db51a880e9544d9fac2a2218a6bfc9c63). If an immediate upgrade is not possible, consider implementing input validation and output encoding on user-supplied data to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. After upgrading, confirm the fix by attempting to inject a simple XSS payload into the vulnerable endpoint and verifying that it is properly sanitized.
Actualice la biblioteca Indeed Engineering util a la versión 1.0.34 o superior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) presente en versiones anteriores. Puede obtener la versión actualizada desde el repositorio oficial o a través de su gestor de dependencias.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2020-36634 is a cross-site scripting (XSS) vulnerability affecting Indeed Engineering util versions 1.0.0 through 1.0.33, allowing attackers to inject malicious scripts.
You are affected if you are using Indeed Engineering util versions 1.0.0 to 1.0.33. Upgrade to 1.0.34 to resolve the issue.
Upgrade Indeed Engineering util to version 1.0.34 or later. Implement input validation and output encoding as a temporary workaround.
No active exploitation campaigns have been publicly reported, but the vulnerability remains a risk.
Refer to VDB-216882 for details on this vulnerability.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo pom.xml e descubra na hora se você está afetado.