Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 9 Mar 2021 22:48:43 -0800
From: Will Glass-Husain <>
Subject: CVE-2020-13959: Velocity Tools XSS Vulnerability


The default error page for VelocityView reflects back the vm file that
was entered as part of the URL.  An attacker can set an XSS payload
file as this vm file in the URL which results in this payload being

XSS vulnerabilities allow attackers to execute arbitrary JavaScript in
the context of the attacked website and the attacked user. This can be
abused to steal session cookies, perform requests in the name of the
victim or for phishing attacks.


Applications based on Apache Velocity Tools should upgrade to version
3.1.  This version escapes the reflected text on the default error
page, preventing potential javascript execution.


This issue was reported and a patch was submitted by Jackson Henry,
member of Sakura Samurai.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.