Description
The dashboard in WhiteSource Application Vulnerability Management (AVM) before version 20.4.1 allows Log Injection via a %0A%0D substring in the idp parameter to the /saml/login URI. This closes the current log and creates a new log with one line of data. The attacker can also insert malicious data and false entries.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://www.whitesourcesoftware.com/oss_security_vulnerabilities/
Various Sources x_refsource_misc
https://medium.com/%40venkatajayaram.yalla/whitesource-log-injection-vulnerability-cve-2020-5304-e543b7943c2b
Scores
CVSS v3
7.5
EPSS
0.0100
EPSS Percentile
58.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-116
Status
published
Products (1)
whitesourcesoftware/whitesource
< 20.4.1
Published
Jun 08, 2020
Tracked Since
Feb 18, 2026