Discovery of 2 new CVEs: CVE-2020-35542 & CVE-2020-22789
Last month, three of our colleagues discovered important CVEs in their work as renowned security specialists at Secura: CVE-2020-35542 and CVE-2020-22789. We are proud to share this news and we would like to congratulate Harikrishnan Padmanabha Pillai, Ricardo Sanchez & David van Gool for these great achievements!
Subsequently, this vulnerability was reported to Unisys, and was remediated afterwards. For more information regarding this vulnerability and the technical details, please read further.
Alongside Harikrishnan, our colleagues Ricardo Sanchez and David van Gool
also made an interesting discovery. While doing their work, they found a
vulnerability in a FME Server of version 2019.2 and 2020.0 Beta of an
unauthenticated Stored XSS (CVE-2020-22789).
This second vulnerability allows a remote attacker to gain
administrator privileges by injecting arbitrary web scripts or HTML code
via the login page. The XSS is executed when an administrator accesses
the logs page. As part of Secura Responsible disclosure the
vulnerability was reported and fixed by the vendor in the