CVE-2020-26680 Information

Description

In vFairs 3.3 any user logged in to a vFairs virtual conference or event can modify any other users profile information to include a cross-site scripting payload. The user data stored by the database includes HTML tags that are intentionally rendered out onto the page and this can be abused to perform XSS attacks.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://www.huntress.com/blog/zero-day-vulnerabilities-in-popular-event-management-platforms-could-leave-msps-open-to-attack http://vfairs.com

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4