CVE-2020-26799
BaseFortify
Publication date: 2025-07-21
Last updated on: 2025-07-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| luxsoft | luxcal | 4.5.2 |
| luxsoft | luxcal | 4.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-26799 is a reflected Cross-Site Scripting (XSS) vulnerability in LuxCal version 4.5.2, specifically in the index.php file's RSS feed link parameter. It allows unauthenticated attackers to inject malicious JavaScript code because the application does not properly sanitize user input before reflecting it in the HTML response. This can be exploited by crafting malicious URLs that execute scripts in the context of other users' browsers. [2]
How can this vulnerability impact me? :
This vulnerability can lead to several impacts including information disclosure by accessing sensitive user data and session information, stealing cookies to hijack user sessions, enabling social engineering attacks through fake login forms or malicious content, performing Cross-Site Request Forgery (CSRF) attacks to act on behalf of victims, credential harvesting via fake forms, and malware distribution by redirecting users to malicious websites. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the index.php file's rssfeed parameter for reflected XSS. You can try sending crafted URLs with JavaScript payloads to see if the input is reflected unsanitized in the response. Example test URLs include: http://target.com/index.php?rssfeed=<script>alert('XSS')</script> or more advanced payloads to check for cookie stealing. Using tools like curl or browser developer tools to inspect responses can help detect the vulnerability. For example, you can run: curl -i "http://target.com/index.php?rssfeed=<script>alert('XSS')</script>" and check if the script tag is reflected in the response body. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading LuxCal to version 4.7.x or later, which fixes this vulnerability. Additionally, implement proper input validation and sanitization on the rssfeed parameter using PHP functions like htmlspecialchars() or filter_var(). Apply output encoding to all dynamic content before rendering. Enforce Content Security Policy (CSP) headers such as default-src 'self' and security headers like X-Content-Type-Options: nosniff, X-Frame-Options: DENY, and X-XSS-Protection: 1; mode=block to prevent script execution. [2]