免费扫描
LOWCVE-2020-36523CVSS 3.5

PlantUML Database Information Macro cross site scripting

翻译中…

平台

other

组件

plantuml

修复版本

6.43.1

AI Confidence: highNVDEPSS 0.2%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2020-36523 identifies a cross-site scripting (XSS) vulnerability within PlantUML versions 6.43 through 6.43. This flaw resides in the Database Information Macro component, enabling remote attackers to inject and execute malicious scripts. The vulnerability has been publicly disclosed and a fix is available in version 6.43.1.

影响与攻击场景翻译中…

Successful exploitation of CVE-2020-36523 allows an attacker to inject arbitrary JavaScript code into a PlantUML diagram rendered in a user's browser. This can lead to various malicious outcomes, including session hijacking, defacement of the PlantUML interface, and theft of sensitive information. The impact is particularly concerning in environments where PlantUML diagrams are used to display confidential data or are integrated into critical workflows. Because the vulnerability is triggered remotely, an attacker does not need local access to the PlantUML server to exploit it.

利用背景翻译中…

CVE-2020-36523 was publicly disclosed on June 3, 2022. A public proof-of-concept may exist, increasing the risk of exploitation. The vulnerability is not currently listed on CISA KEV, and there are no confirmed reports of active exploitation campaigns. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the public disclosure necessitates prompt remediation.

哪些人处于风险中翻译中…

Organizations and individuals using PlantUML versions 6.43 through 6.43, particularly those who rely on PlantUML to generate diagrams from user-supplied data or integrate it into web applications, are at risk. Shared hosting environments where multiple users can potentially influence PlantUML diagrams are also particularly vulnerable.

攻击时间线

  1. Discovery

    discovery

  2. Disclosure

    disclosure

  3. Patch

    patch

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.21% (43% 百分位)

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N3.5LOWAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredLow攻击所需的认证级别User InteractionRequired是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityNone敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
低 — 任何有效用户账户均可。
User Interaction
需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
无 — 无机密性影响。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
无 — 无可用性影响。

受影响的软件

组件plantuml
供应商unspecified
影响范围修复版本
6.43 – 6.436.43.1

弱点分类 (CWE)

CWE-79

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2020-36523 is to upgrade PlantUML to version 6.43.1 or later, which contains the fix. If immediate upgrading is not feasible, consider implementing input validation and sanitization on any user-supplied data used within PlantUML diagrams. While a direct WAF rule is difficult to implement without specific knowledge of the attack vectors, restricting access to the Database Information Macro functionality could reduce the attack surface. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a PlantUML diagram and confirming that it is not executed.

修复方法翻译中…

Actualice PlantUML a una versión posterior a la 6.43 que haya corregido la vulnerabilidad de Cross-Site Scripting (XSS) en la macro de información de la base de datos. Consulte las notas de la versión o el registro de cambios de PlantUML para obtener detalles sobre la versión corregida. Si no hay una versión corregida disponible, considere deshabilitar o evitar el uso de la macro de información de la base de datos hasta que se publique una solución.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2020-36523 — XSS in PlantUML 6.43?

CVE-2020-36523 is a cross-site scripting (XSS) vulnerability affecting PlantUML versions 6.43 through 6.43, specifically the Database Information Macro component, allowing remote code execution.

Am I affected by CVE-2020-36523 in PlantUML 6.43?

You are affected if you are using PlantUML version 6.43. Upgrade to version 6.43.1 or later to mitigate the risk.

How do I fix CVE-2020-36523 in PlantUML 6.43?

Upgrade PlantUML to version 6.43.1 or a later version. Consider input validation as a temporary workaround if upgrading is not immediately possible.

Is CVE-2020-36523 being actively exploited?

While there are no confirmed reports of active exploitation, the vulnerability has been publicly disclosed, increasing the potential for exploitation.

Where can I find the official PlantUML advisory for CVE-2020-36523?

Refer to the PlantUML project's security advisories and release notes for details: https://plantuml.com/security

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE