How severe is CVE-2020-5217?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.8 out of 10.

What type of vulnerability is CVE-2020-5217?

This is classified as CWE-95, which is a common weakness in software security.

CVE-2020-5217

MEDIUM Year: 2020

CVSS v3 Score

5.8

Medium

CVSS v2 Score

5.0

Medium

Weakness Type

CWE-95

View all →

Vulnerability Description

In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied. The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s. Depending on what major version you are using, the fixed versions are 6.2.0, 5.1.0, 3.8.0.

CVE-2024-32647

MEDIUM

CVSS:5.3(Medium)

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `create_from_blueprint` builtin can result in a double eval vulnerability when `ra...

CWE-952024

CVE-2024-32649

MEDIUM

CVSS:5.3(Medium)

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `sqrt` builtin can result in double eval vulnerability when the argument has side-...

CWE-952024

CVE-2021-33678

MEDIUM

CVSS:6.5(Medium)

A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged att...

CWE-952021

CVE-2019-9507

HIGH

CVSS:7.2(High)

The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to command injection because the application incorrectly neutralizes code syntax before executing. Since all commands wi...

CWE-952019

CVE-2023-0888

HIGH

CVSS:7.2(High)

An improper neutralization of directives in dynamically evaluated code vulnerability in the WiFi Battery embedded web server in versions L90/U70 and L92/U92 can be used to gain administrative access t...

CWE-952023

CVE-2024-10633

HIGH

CVSS:7.3(High)

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0...

CWE-952024

CVE-2020-5217

Vulnerability Description

Related Vulnerabilities

CVE-2024-32647

CVE-2024-32649

CVE-2021-33678

CVE-2019-9507

CVE-2023-0888

CVE-2024-10633