CVE-2020-13959

CVE-2020-13959: Velocity Tools XSS Vulnerability

Vendor Apache Software Foundation

Product Apache Velocity Tools

Weakness CWE-79 · XSS

Published March 10, 2021

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

Key dates

02Disclosure timeline

March 10, 2021 CVE published

February 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-13959

Related vulnerabilities

04Related CVE

CVE-2026-39692 WordPress tagDiv Composer plugin <= 5.4.3 - Cross Site Scripting (XSS) vulnerability CVE-2021-32853 Erxes vulnerable to Cross-site Scripting CVE-2025-46734 league/commonmark Cross-site Scripting vulnerability in Attributes extension CVE-2023-31163 Improper Neutralization of Input During Web Page Generation CVE-2026-42410 WordPress TheGem theme Elements (for Elementor) plugin < 5.12.1.1 - Cross Site Scripting (XSS) vulnerability