Environment
Versions of Micro Focus Vibe prior to Vibe 4.0.7
Situation
A stored XSS vulnerability was discovered in Micro Focus Vibe prior to 4.0.7 which allows a remote attacker to craft and store malicious content into Vibe such that when the content is viewed by another user of the system, attacker controlled JavaScript will execute in the security context of the target user’s browser.
Resolution
Micro Focus has made the following mitigation information available to resolve the vulnerability for the impacted versions of Micro Focus Vibe:
Status
Security AlertAdditional Information
Credit: Thanks to Dr. Vladimir Bostanov, SySS GmbH for researching and responsibly disclosing this vulnerability to the Micro Focus Product Security team.
CVSS Version 3.0 and Version 2.0 Base Metrics
Reference | V3 Vector | V3 Base Score | V2 Vector | V2 Base Score |
---|---|---|---|---|
CVE-2020-9520 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 | (AV:N/AC:L/Au:S/C:P/I:P/A:N) | 5.5 |
Original KB ID
This security bulletin was previously published as KM03630475 on 25-Mar-2020.