CVE-2020-16270

MEDIUM

OLIMPOKS < 3.3.39 - Authenticated Cross-Site Scripting via Error Message

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-16270. PoCs published by Security-AVS.

AI-analyzed exploit summary This repository provides a writeup and proof-of-concept for CVE-2020-16270, an XSS vulnerability in OLIMPOKS versions under 3.3.39. The vulnerability allows remote attackers to inject malicious JavaScript payloads via the ErrorMessage parameter in the Auth/Admin endpoint.

Description

OLIMPOKS under 3.3.39 allows Auth/Admin ErrorMessage XSS. Remote Attacker can use discovered vulnerability to inject malicious JavaScript payload to victim’s browsers in context of vulnerable applications. Executed code can be used to steal administrator’s cookies, influence HTML content of targeted application and perform phishing-related attacks. Vulnerable application used in more than 3000 organizations in different sectors from retail to industries.

Exploits (1)

nomisec WRITEUP
by Security-AVS · poc
https://github.com/Security-AVS/CVE-2020-16270

This repository provides a writeup and proof-of-concept for CVE-2020-16270, an XSS vulnerability in OLIMPOKS versions under 3.3.39. The vulnerability allows remote attackers to inject malicious JavaScript payloads via the ErrorMessage parameter in the Auth/Admin endpoint.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: OLIMPOKS under 3.3.39
No auth needed
Prerequisites: Access to the vulnerable endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Product, Vendor Advisory x_refsource_misc
https://olimpoks.ru/oks/forum/olimpoks5.php
Third Party Advisory x_refsource_misc
https://bdu.fstec.ru/vul/2020-04623
Third Party Advisory x_refsource_misc
https://github.com/Security-AVS/CVE-2020-16270

Scores

CVSS v3 6.1
EPSS 0.1311
EPSS Percentile 95.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
olimpoks/olimpok < 3.3.39
Published Oct 16, 2020
Tracked Since Feb 18, 2026