{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "4.19" }, { "introduced": "0" }, { "last_affected": "4.19.1" }, { "introduced": "0" }, { "last_affected": "4.20" }, { "introduced": "0" }, { "last_affected": "4.21" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "ac25dc0a1b25c9393349c29a2a16d9ee090541a1" }, { "introduced": "0" }, { "last_affected": "76b48d93d842e17ebd748faad46ebc04dd136db3" }, { "introduced": "0" }, { "last_affected": "f6bd2896028e65abd5bbf3cfbb4c9c48c6605efd" }, { "introduced": "0" }, { "last_affected": "593e22ecb075548f8430722ae0c9503025d20d08" } ], "repo": "https://github.com/boxbilling/boxbilling", "type": "GIT" } ] } ], "details": "Cross Site Scripting (XSS) vulnerability in BoxBilling 4.19, 4.19.1, 4.20, and 4.21 allows remote attackers to run arbitrary code via the message field on the submit new ticket form.", "id": "CVE-2020-23647", "modified": "2026-03-13T21:49:30.616482485Z", "published": "2023-04-28T20:15:13.320Z", "references": [ { "type": "REPORT", "url": "https://github.com/boxbilling/boxbilling/issues/596" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ] }