{"id":"CVE-2020-36634","details":"A vulnerability classified as problematic has been found in Indeed Engineering util up to 1.0.33. Affected is the function visit/appendTo of the file varexport/src/main/java/com/indeed/util/varexport/servlet/ViewExportedVariablesServlet.java. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.0.34 is able to address this issue. The name of the patch is c0952a9db51a880e9544d9fac2a2218a6bfc9c63. It is recommended to upgrade the affected component. VDB-216882 is the identifier assigned to this vulnerability.","modified":"2026-04-11T16:25:23.109370Z","published":"2022-12-27T13:15:11.047Z","references":[{"type":"ADVISORY","url":"https://github.com/indeedeng/util/releases/tag/published%2F1.0.34"},{"type":"ADVISORY","url":"https://vuldb.com/?ctiid.216882"},{"type":"ADVISORY","url":"https://vuldb.com/?id.216882"},{"type":"FIX","url":"https://github.com/indeedeng/util/commit/c0952a9db51a880e9544d9fac2a2218a6bfc9c63"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/indeedeng/util","events":[{"introduced":"0"},{"fixed":"6576821ed96618479376ec06e701b6766841d7e3"},{"fixed":"c0952a9db51a880e9544d9fac2a2218a6bfc9c63"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.0.34"}]}}],"versions":["published/1.0.0","published/1.0.1","published/1.0.29","published/1.0.30","published/1.0.31","published/1.0.32","published/1.0.33","util-parent-1.0.0","util-parent-1.0.12","util-parent-1.0.13","util-parent-1.0.14","util-parent-1.0.15","util-parent-1.0.16","util-parent-1.0.17","util-parent-1.0.18","util-parent-1.0.19","util-parent-1.0.20","util-parent-1.0.21","util-parent-1.0.22","util-parent-1.0.23","util-parent-1.0.23-internal-20161102150821","util-parent-1.0.24","util-parent-1.0.25","util-parent-1.0.9"],"database_specific":{"vanir_signatures":[{"target":{"function":"showUsingTemplate","file":"varexport/src/main/java/com/indeed/util/varexport/servlet/ViewExportedVariablesServlet.java"},"signature_type":"Function","digest":{"length":1387,"function_hash":"330961802448883929897768170915464846959"},"source":"https://github.com/indeedeng/util/commit/c0952a9db51a880e9544d9fac2a2218a6bfc9c63","signature_version":"v1","deprecated":false,"id":"CVE-2020-36634-31fa9a77"},{"target":{"file":"varexport/src/main/java/com/indeed/util/varexport/servlet/ViewExportedVariablesServlet.java"},"signature_type":"Line","digest":{"line_hashes":["325087845221170558127142262548176867930","288612317149440052810646470835445273662","76646569350539799589285675913348239928","292650216923068874872495908028633250642","38018678274071333309456089785837313739","71936052351218174506914959343280502468","64133226374242784413681759368062136967","273716453152473084849972950032554867677","166904218602644856701582707061730182349","307183407216193212906211235622015937898","134909493319366594160224661656183286163","257169698931039226980472247367446926492","258247336673861608770281072433972533267","99305169780858186085814644684753502329","178157750805424434602800431340027119497","170107383173145925387617114516439510413","336496000469746219110816181135987062344","334393923134720004203405319157601793266","189967246383772352237222502625724138382","119677434734767794183893359525223668382","257652821320957777978210851979121913547","309911540920842782132174002628835695497","325908312116973442428362543789259739439","42654472018312250785706987951630297220","111837372875116943002472708715634105224","39468581179496491499367354341865346404","280936404183211937489929897210262538248","59279718147465644822974558731685959549","55251446679922174640063529095652248654","143236071661105003932946174026315042200","155487103983094601484255512083984524782","106662302755504582606965660883314779868","95318883802579866648699914418482736199","287465336404728331021319775875169586001","275706392523091783183694936379112244713","76721438593998884439201770775528973800","225952567035148370782287551074764766237","94134028362747952751946735552982164654","116601086577701109690469563351363713662","102111476918380136821765811306101753105","322766579547691276080240211340338966868","68908688536511758992248442912844635610","205522902533194304197913831789606160898","310897955830947416398807507147029686935","154801131141725355247275688511950474437","83926565329111991140281936170467320073","107991090474109452731258160829439851933","124242682754899904855613372762627925920"],"threshold":0.9},"source":"https://github.com/indeedeng/util/commit/c0952a9db51a880e9544d9fac2a2218a6bfc9c63","signature_version":"v1","deprecated":false,"id":"CVE-2020-36634-496cf694"},{"target":{"function":"buildIndex","file":"varexport/src/main/java/com/indeed/util/varexport/servlet/ViewExportedVariablesServlet.java"},"signature_type":"Function","digest":{"length":623,"function_hash":"312880235088124495909880947363727248789"},"source":"https://github.com/indeedeng/util/commit/c0952a9db51a880e9544d9fac2a2218a6bfc9c63","signature_version":"v1","deprecated":false,"id":"CVE-2020-36634-81990371"},{"target":{"file":"varexport/src/test/java/com/indeed/util/varexport/servlet/ViewExportedVariablesServletTest.java"},"signature_type":"Line","digest":{"line_hashes":["63932464327175441930506167595222117071","286981840419299102970187316549061887264","15319166232249096411592493306927702310","304851965462690148246953679543334174016","94259736135573153815003318884957211853","170987128161610649107519405139388779237","274292347259506471528007353198370201472","43507753131856812818712932832900835224","267613941741226588256841991499502888369","78484521245845187474122567852319691428","271310293828393157820351214313327082001","263166638335315441140184387799080490965","338368323424279076162052366461510567701","174208265744396531110523376242346485264","226511546073921576028145001060354342841","331312404966301691535690171103258049495"],"threshold":0.9},"source":"https://github.com/indeedeng/util/commit/c0952a9db51a880e9544d9fac2a2218a6bfc9c63","signature_version":"v1","deprecated":false,"id":"CVE-2020-36634-89928cfc"},{"target":{"file":"varexport/src/main/java/com/indeed/util/varexport/Variable.java"},"signature_type":"Line","digest":{"line_hashes":["265058071835628535419334903494753687549","90637646933016615664795720458910097344","213968783518284045394931656750457342624"],"threshold":0.9},"source":"https://github.com/indeedeng/util/commit/c0952a9db51a880e9544d9fac2a2218a6bfc9c63","signature_version":"v1","deprecated":false,"id":"CVE-2020-36634-8f24d3a1"},{"target":{"function":"buildNGramIndex","file":"varexport/src/main/java/com/indeed/util/varexport/servlet/ViewExportedVariablesServlet.java"},"signature_type":"Function","digest":{"length":495,"function_hash":"55100844653558367235999944493663546515"},"source":"https://github.com/indeedeng/util/commit/c0952a9db51a880e9544d9fac2a2218a6bfc9c63","signature_version":"v1","deprecated":false,"id":"CVE-2020-36634-fa8cd4c6"}],"vanir_signatures_modified":"2026-04-11T16:25:23Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36634.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}