{"id":"CVE-2020-23647","details":"Cross Site Scripting (XSS) vulnerability in BoxBilling 4.19, 4.19.1, 4.20, and 4.21 allows remote attackers to run arbitrary code via the message field on the submit new ticket form.","modified":"2026-04-10T04:24:50.947313Z","published":"2023-04-28T20:15:13.320Z","references":[{"type":"REPORT","url":"https://github.com/boxbilling/boxbilling/issues/596"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/boxbilling/boxbilling","events":[{"introduced":"0"},{"last_affected":"ac25dc0a1b25c9393349c29a2a16d9ee090541a1"},{"introduced":"0"},{"last_affected":"76b48d93d842e17ebd748faad46ebc04dd136db3"},{"introduced":"0"},{"last_affected":"f6bd2896028e65abd5bbf3cfbb4c9c48c6605efd"},{"introduced":"0"},{"last_affected":"593e22ecb075548f8430722ae0c9503025d20d08"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.19"},{"introduced":"0"},{"last_affected":"4.19.1"},{"introduced":"0"},{"last_affected":"4.20"},{"introduced":"0"},{"last_affected":"4.21"}]}}],"versions":["4.11.11","4.11.3","4.13","4.14","4.15","4.15.5","4.16","4.16.3","4.17","4.18","4.19","4.19.1","4.20","4.21"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-23647.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}