CVE-2020-29477

MEDIUM

Invision Community 4.5.4 - Stored Cross-Site Scripting in Field Name

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-29477. PoCs published by Hemant Patidar.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Invision Community 4.5.4 by injecting a malicious script into the 'Field Name' parameter of a profile field. The payload is submitted via a crafted POST request to the admin interface, triggering the XSS when the field is saved.

Description

Invision Community 4.5.4 is affected by cross-site scripting (XSS) in the Field Name field. This vulnerability can allow an attacker to inject the XSS payload in Field Name and each time any user will open that, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.

Exploits (1)

exploitdb WORKING POC
by Hemant Patidar · textwebappsmultiple
https://www.exploit-db.com/exploits/49188

This exploit demonstrates a stored XSS vulnerability in Invision Community 4.5.4 by injecting a malicious script into the 'Field Name' parameter of a profile field. The payload is submitted via a crafted POST request to the admin interface, triggering the XSS when the field is saved.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Invision Community 4.5.4
Auth required
Prerequisites: Admin access to the Invision Community admin panel
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Not Applicable x_refsource_misc
http://invision.com
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/49188

Scores

CVSS v3 4.8
EPSS 0.0110
EPSS Percentile 61.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
invisioncommunity/community 4.5.4
Published Dec 30, 2020
Tracked Since Feb 18, 2026