CVE-2020-23014
MEDIUMapfell < 1.4 - Authenticated Reflected Cross-Site Scripting via /apiui/command_ Payloadtypes Callback
Title source: llmDescription
APfell 1.4 is vulnerable to authenticated reflected cross-site scripting (XSS) in /apiui/command_ through the payloadtypes_callback function, which allows an attacker to steal remote admin/user session and/or adding new users to the administration panel.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/its-a-feature/Apfell/commit/5fc64502bc008388514f2b5d1160b677e3b4a7f3
Exploit, Third Party Advisory x_refsource_misc
https://seekurity.com/blog/2020/04/19/admin/advisories/apfell-post-exploitation-red-team-framework-authenticated-cross-site-scripting-vulnerability
Scores
CVSS v3
5.4
EPSS
0.0059
EPSS Percentile
43.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
apfell_project/apfell
< 1.4
Published
Jan 26, 2021
Tracked Since
Feb 18, 2026