{"api_version":"1","generated_at":"2026-04-29T13:52:36+00:00","cve":"CVE-2020-29477","urls":{"html":"https://cve.report/CVE-2020-29477","api":"https://cve.report/api/cve/CVE-2020-29477.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-29477","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-29477"},"summary":{"title":"CVE-2020-29477","description":"Invision Community 4.5.4 is affected by cross-site scripting (XSS) in the Field Name field. This vulnerability can allow an attacker to inject the XSS payload in Field Name and each time any user will open that, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-12-30 15:15:00","updated_at":"2021-01-04 15:13:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"http://invision.com","name":"http://invision.com","refsource":"MISC","tags":["Not Applicable"],"title":"InVision | Digital product design, workflow & collaboration","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.exploit-db.com/exploits/49188","name":"https://www.exploit-db.com/exploits/49188","refsource":"MISC","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting - Multiple webapps Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-29477","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-29477","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"29477","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"invisioncommunity","cpe5":"community","cpe6":"4.5.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"29477","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"invisioncommunity","cpe5":"community","cpe6":"4.5.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-29477","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Invision Community 4.5.4 is affected by cross-site scripting (XSS) in the Field Name field. This vulnerability can allow an attacker to inject the XSS payload in Field Name and each time any user will open that, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"http://invision.com","refsource":"MISC","name":"http://invision.com"},{"refsource":"MISC","name":"https://www.exploit-db.com/exploits/49188","url":"https://www.exploit-db.com/exploits/49188"}]}},"nvd":{"publishedDate":"2020-12-30 15:15:00","lastModifiedDate":"2021-01-04 15:13:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":4.8,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.7,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:invisioncommunity:community:4.5.4:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"29477","Ordinal":"192553","Title":"CVE-2020-29477","CVE":"CVE-2020-29477","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"29477","Ordinal":"1","NoteData":"Invision Community 4.5.4 is affected by cross-site scripting (XSS) in the Field Name field. This vulnerability can allow an attacker to inject the XSS payload in Field Name and each time any user will open that, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"29477","Ordinal":"2","NoteData":"2020-12-30","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"29477","Ordinal":"3","NoteData":"2020-12-30","Type":"Other","Title":"Modified"}]}}}