Known Issue: FME Server Unauthenticated and Authenticated Stored Cross-Site Scripting (XSS) Vulnerabilities

Liz Sanderson
Liz Sanderson
  • Updated
Known Issue ID FMESERVER-14600 | FMESERVER-18292

CVE-2020-22790 [Medium]

CVE-2020-22789 [Medium]

CVE-2022-38339 [Medium] 

Discovered FME Server 2019.2, 2021.2.3 and 2022.0
Affects All Versions of FME Server
Resolved FME Server 2021.2.6 and 2022.0.1.1

This known issue affects all versions of FME Server. Public-facing FME Server instances, including FME Cloud, are at higher risk. We have not identified any active exploitation of these vulnerabilities in any of our products.


A security scan has reported vulnerabilities on FME Server with two stored Cross-Site Scripting (XSS).

CVE-2020-22790 [NIST Medium severity]: Authenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to execute code by injecting arbitrary web script or HTML via modifying the name of the users. The XSS is executed when an administrator accesses the logs.

CVE-2020-22789 [NIST Medium severity]: Unauthenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via the login page. The XSS is executed when an administrator accesses the logs.

CVE-2022-38339 [NIST Medium severity]: Safe Software FME Server v2022.0.1.1 and below contains a cross-site scripting (XSS) vulnerability that allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the login page.


JavaScript code may be inserted maliciously through the Login page (Unauthenticated XSS), the User Management Page (Authenticated XSS), or via the REST API (Authenticated XSS). This code is stored in FME and viewable through the Web UI on the System Events > History page under the Contents field or the Token Management Description field. Once the page is visited, this code will be executed, and an unauthorized person may gain access to FME Server data and functionality.
Note: The latter two vulnerabilities are only exploitable by someone who has credentials for an FME Server user account that can generate a token or is assigned manage permissions for the User Management item. 


Upgrade FME Server or FME Cloud to 2021.2.6, 2022.0.1.1, or newer where this issue has been resolved. See the Downloads page for the latest version and our documentation for upgrading instructions. If you need assistance upgrading, please contact one of our Partners

If you are currently unable to upgrade FME Server or FME Cloud, to prevent unauthenticated users from being able to pollute the System Event View you should disable the ‘Login Failed’ System Event. You should also ensure that the System Cleanup job for the System Event History has run and removed all old system events before visiting the System Events > History page 


Safe would like to thank Secura and Cycura Data Protection Corp. for making this responsible disclosure to us and recognize their contribution to increasing the security standard of FME.


Reporting Security Issues

If you believe you have discovered a vulnerability in FME, our website, or our other products, please email us as quickly as possible at security (at) safe (dot) com.

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and better protect our users.

Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.

Was this article helpful?



Please sign in to leave a comment.