Micro Focus Vibe stored XSS vulnerability (CVE-2020-9520)

  • 7024549
  • 08-Apr-2020
  • 08-Apr-2020

Environment

Versions of Micro Focus Vibe prior to Vibe 4.0.7

Situation

A stored XSS vulnerability was discovered in Micro Focus Vibe prior to 4.0.7 which allows a remote attacker to craft and store malicious content into Vibe such that when the content is viewed by another user of the system, attacker controlled JavaScript will execute in the security context of the target user’s browser.

Resolution

Micro Focus has made the following mitigation information available to resolve the vulnerability for the impacted versions of Micro Focus Vibe:

Status

Security Alert

Additional Information

Credit: Thanks to Dr. Vladimir Bostanov, SySS GmbH for researching and responsibly disclosing this vulnerability to the Micro Focus Product Security team.

CVSS Version 3.0 and Version 2.0 Base Metrics

Reference

V3 Vector

V3 Base Score

V2 Vector

V2 Base Score

CVE-2020-9520

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.4

(AV:N/AC:L/Au:S/C:P/I:P/A:N)

5.5


Original KB ID
This security bulletin was previously published as KM03630475 on 25-Mar-2020.