CVE-2020-29477 in Community
Summary
by MITRE • 12/31/2020
Invision Community 4.5.4 is affected by cross-site scripting (XSS) in the Field Name field. This vulnerability can allow an attacker to inject the XSS payload in Field Name and each time any user will open that, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/10/2026
Invision Community version 4.5.4 contains a cross-site scripting vulnerability in the Field Name field that represents a significant security risk to web applications utilizing this platform. This vulnerability falls under the CWE-79 category of Cross-Site Scripting and enables attackers to inject malicious scripts into field names that are subsequently executed in the context of other users' browsers. The vulnerability specifically affects the application's handling of user input in the Field Name parameter, where insufficient sanitization or encoding allows malicious payloads to persist and execute when the field is rendered in subsequent user interactions.
The technical flaw manifests when an attacker crafts a malicious payload and submits it through the Field Name field during the creation or modification of application fields. The application fails to properly validate or encode this input before storing it in the database or rendering it in the user interface. When another user accesses the affected field or page containing the malicious field name, the stored XSS payload executes in their browser context, potentially leading to session hijacking, credential theft, or other malicious activities. This vulnerability operates as a persistent XSS attack where the malicious script is stored server-side and executed whenever the affected page is loaded.
The operational impact of this vulnerability extends beyond simple cookie theft to encompass broader session management compromise and potential data exfiltration. When an attacker successfully injects a payload, they can execute JavaScript code in the victim's browser with the privileges of that user, potentially accessing sensitive application data, modifying user permissions, or performing actions on behalf of authenticated users. The vulnerability affects all users who encounter the malicious field name, making it particularly dangerous in multi-user environments where administrators or regular users may be exposed to the crafted payloads. This type of vulnerability represents a significant threat to application security and user privacy, as it can be exploited to establish persistent access to user sessions and potentially escalate privileges within the application.
Mitigation strategies for this vulnerability should include comprehensive input validation and output encoding across all user-supplied data fields within the application. The implementation of Content Security Policy headers can provide additional protection against script execution, while proper sanitization of all user input before storage and rendering should be enforced throughout the application. Regular security audits and code reviews should focus on input handling mechanisms, particularly in areas where user-generated content is displayed. The vulnerability aligns with ATT&CK technique T1531 for Access Token Manipulation and T1203 for Exploitation for Client Execution, as it enables attackers to execute malicious code in user browsers and potentially escalate privileges through session hijacking. Organizations should implement immediate patching procedures and consider temporary workarounds such as restricting user input in sensitive fields until a proper security update is applied.