CVE-2020-13959

MEDIUM

Apache Velocity Tools < 3.1 - Cross-Site Scripting via URL vm File Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-13959. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains the vulnerable source code for Apache Velocity Tools, specifically showcasing the components affected by CVE-2020-13959. It includes examples and generic tools but does not provide an exploit or detailed analysis of the vulnerability itself.

Description

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

Exploits (2)

nomisec WRITEUP

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2020-13959-velocity-tools-vulnerable

View Code ZIP pw:eip

This repository contains the vulnerable source code for Apache Velocity Tools, specifically showcasing the components affected by CVE-2020-13959. It includes examples and generic tools but does not provide an exploit or detailed analysis of the vulnerability itself.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Apache Velocity Tools 3.0

No auth needed

Prerequisites: Access to a vulnerable Apache Velocity Tools instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 14, 2026 Full analysis →

nomisec WRITEUP

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2020-13959-velocity-tools-vulnerable

View Code ZIP pw:eip

This repository contains the source code for Apache Velocity Tools, specifically a vulnerable version (3.0) affected by CVE-2020-13959. The code includes examples and generic tools but does not provide an exploit PoC or detailed vulnerability analysis.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Apache Velocity Tools 3.0

No auth needed

Prerequisites: Access to a vulnerable Apache Velocity Tools 3.0 instance

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7

Core References

Mailing List, Vendor Advisory x_refsource_misc

https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6%40%3Ccommits.velocity.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rf9868c564cff7adfd5283563f2309b93b3e496354a211a57503b2f72%40%3Cannounce.apache.org%3E

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2021/03/10/2

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2021/03/msg00021.html

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r97edad0655770342d2d36620fb1de50b142fcd6c4f5c53dd72ca41d7%40%3Cuser.velocity.apache.org%3E

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/202107-52

Scores

CVSS v3 6.1

EPSS 0.0321

EPSS Percentile 87.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (4)

apache/velocity_tools < 3.1

debian/debian_linux 9.0

org.apache.velocity/velocity-tools 0Maven

org.apache.velocity.tools/velocity-tools-parent 0 - 3.1Maven

Published Mar 10, 2021

Tracked Since Feb 18, 2026