CVE-2020-25864
MEDIUM NUCLEIHashiCorp Consul < 1.7.14, 1.8.0-1.8.9, 1.9.0-1.9.4 - Stored Cross-Site Scripting in KV Raw Mode
Title source: llmExploitation Summary
CVE-2020-25864 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
Nuclei Templates (1)
HashiCorp Consul/Consul Enterprise <=1.9.4 - Cross-Site Scripting
MEDIUMby c-sh0
Shodan:
http.title:"consul by hashicorp" || cpe:"cpe:2.3:a:hashicorp:consul"
FOFA:
title="consul by hashicorp"
References (3)
Core 3
Core References
Product, Vendor Advisory x_refsource_misc
https://www.hashicorp.com/blog/category/consul
Vendor Advisory x_refsource_misc
https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-09
Scores
CVSS v3
6.1
EPSS
0.0609
EPSS Percentile
92.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
hashicorp/consul
< 1.7.14 (2 CPE variants)
hashicorp/consul
1.9.0 - 1.9.5Go
Published
Apr 20, 2021
Tracked Since
Feb 18, 2026