CVE-2020-13697

MEDIUM

nanohttpd < 2.3.1 - Reflected Cross-Site Scripting via GeneralHandler GET Handler

Title source: llm
STIX 2.1

Description

An issue was discovered in RouterNanoHTTPD.java in NanoHTTPD through 2.3.1. The GeneralHandler class implements a basic GET handler that prints debug information as an HTML page. Any web server that extends this class without implementing its own GET handler is vulnerable to reflected XSS, because the GeneralHandler GET handler prints user input passed through the query string without any sanitization.

References (2)

Core 2
Core References
Product, Third Party Advisory x_refsource_misc
https://github.com/NanoHttpd/nanohttpd
Third Party Advisory x_refsource_misc
https://www.vdoo.com/advisories

Scores

CVSS v3 6.1
EPSS 0.0075
EPSS Percentile 50.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
nanohttpd/nanohttpd < 2.3.1
org.nanohttpd/nanohttpd-nanolets 0Maven
Published Feb 23, 2021
Tracked Since Feb 18, 2026