CVE-2020-12869
Description
RainbowFish PacsOne Server 6.8.4 allows XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- RainbowFish/PacsOne Serverdescription
- Range: =6.8.4
Patches
Vulnerability mechanics
Root cause
"Cross-site scripting (XSS) vulnerability in PacsOne Server 6.8.4 due to insufficient sanitization of user-controlled input."
Attack vector
An attacker can inject arbitrary JavaScript or HTML into a page served by PacsOne Server 6.8.4 by supplying crafted input to a vulnerable parameter. When a victim user views the affected page, the injected script executes in the context of the victim's browser session, potentially allowing theft of session cookies, redirection to malicious sites, or other client-side attacks. The advisory does not specify the exact input vector or page, but the vulnerability is classified as XSS [ref_id=1].
Affected code
The advisory does not identify specific files, functions, or code paths. The vulnerability exists in PacsOne Server version 6.8.4 [ref_id=1].
What the fix does
No patch or fix is published in the provided bundle. The vendor's download page [ref_id=1] lists version history up to 7.3.9 but does not mention a security fix for CVE-2020-12869. Without a patch or advisory detailing remediation, users should apply general XSS defenses such as input validation, output encoding, and Content Security Policy headers, or contact the vendor for an updated release.
Preconditions
- networkThe attacker must be able to send HTTP requests to the PacsOne Server web interface.
- inputThe attacker must supply crafted input to a vulnerable parameter that is reflected or stored and later rendered without sanitization.
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/bzyo/cve-pocs/tree/master/CVE-2020-12869mitrex_refsource_MISC
- www.pacsone.net/download.htmmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.