vulnerability

Debian: CVE-2020-13959: velocity-tools -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:N/I:P/A:N)	Mar 10, 2021	Mar 19, 2021	Mar 30, 2026

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Published

Mar 10, 2021

Added

Mar 19, 2021

Modified

Mar 30, 2026

Description

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

Solution

debian-upgrade-velocity-tools

References

CVE-2020-13959
https://attackerkb.com/topics/CVE-2020-13959
CWE-79
DEBIAN-DLA-2597-1
EUVD-EUVD-2021-0652
https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-0652

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report