{"id":"CVE-2020-12707","details":"An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT elements.","modified":"2026-04-10T04:24:06.821699Z","published":"2020-05-07T20:15:12.500Z","references":[{"type":"FIX","url":"https://gitlab.com/lepton-cms/LEPTON/-/commit/52215f708395a329c9e17ea33bfc6762d4efccbb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/lepton-cms/LEPTON","events":[{"introduced":"0"},{"last_affected":"2ee628239a4c8147a67e41e7c6ee2b755c9c4f0b"},{"fixed":"52215f708395a329c9e17ea33bfc6762d4efccbb"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.5.0"}]}}],"versions":["2.0.0","2.0.0-RC","2.0.0.0","2.0.0_stable","2.1.0","2.2.2","2.3.0","2.4.0","3.0.0","3.0.0-RC1","3.0.1","4.0.0","4.1.0","4.2.0","4.3.0","4.4.0","4.5.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-12707.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}