Description
OLIMPOKS under 3.3.39 allows Auth/Admin ErrorMessage XSS. Remote Attacker can use discovered vulnerability to inject malicious JavaScript payload to victim’s browsers in context of vulnerable applications. Executed code can be used to steal administrator’s cookies, influence HTML content of targeted application and perform phishing-related attacks. Vulnerable application used in more than 3000 organizations in different sectors from retail to industries.
Exploits (1)
References (3)
Core 3
Core References
Product, Vendor Advisory x_refsource_misc
https://olimpoks.ru/oks/forum/olimpoks5.php
Third Party Advisory x_refsource_misc
https://bdu.fstec.ru/vul/2020-04623
Third Party Advisory x_refsource_misc
https://github.com/Security-AVS/CVE-2020-16270
Scores
CVSS v3
6.1
EPSS
0.2994
EPSS Percentile
96.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
olimpoks/olimpok
< 3.3.39
Published
Oct 16, 2020
Tracked Since
Feb 18, 2026