CVE-2020-35395

MEDIUM

EGavilan Media Expense Management System 1.0 - Stored Cross-Site Scripting via Description Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-35395. PoCs published by Nikhil Kumar.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in the Expense Management System via the 'description' parameter. The payload is injected into the 'description' field during an expense addition request, triggering malicious JavaScript execution.

Description

XSS in the Add Expense Component of EGavilan Media Expense Management System 1.0 allows an attacker to permanently store malicious JavaScript code via the 'description' field

Exploits (1)

exploitdb WORKING POC

by Nikhil Kumar · textwebappsmultiple

https://www.exploit-db.com/exploits/49146

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in the Expense Management System via the 'description' parameter. The payload is injected into the 'description' field during an expense addition request, triggering malicious JavaScript execution.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Expense Management System

No auth needed

Prerequisites: Access to the Expense Management System web interface

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/49146

Exploit, Third Party Advisory x_refsource_misc

https://nikhilkumar01.medium.com/cve-2020-35395-cd393ac8371c

Scores

CVSS v3 6.1

EPSS 0.0085

EPSS Percentile 53.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

egavilanmedia/expense_management_system 1.0

Published Dec 15, 2020

Tracked Since Feb 18, 2026