CVE-2020-22790: 
Safe Software FME Flow vulnerability analysis and mitigation

CVE-2020-22790 is an Authenticated Stored Cross-Site Scripting (XSS) vulnerability affecting FME Server versions 2019.2 and 2020.0 Beta. The vulnerability allows a remote attacker to execute code by injecting arbitrary web script or HTML via modifying the name of users. The vulnerability is triggered when an administrator accesses the logs (NVD, Mexican Pentester).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The CVSS v2.0 Base Score is 3.5 (Low) with vector (AV:N/AC:M/Au:S/C:N/I:P/A:N). The vulnerability exists because the application fails to properly sanitize user input in the name fields when creating, deleting, or modifying users, which is then displayed in the logs without proper output encoding (NVD).

When exploited, this vulnerability allows an authenticated attacker to inject malicious web scripts or HTML that gets executed when an administrator views the logs. This could potentially lead to the compromise of administrator sessions and access to sensitive information (NVD).

The vulnerability has been addressed in subsequent versions of FME Server. Users are advised to upgrade to a patched version of the software. The vendor has acknowledged the vulnerability and provided security updates (Safe Community).