{
  "schema_version": "1.4.0",
  "id": "GHSA-v9vh-7cjg-2wjm",
  "modified": "2022-05-24T17:37:10Z",
  "published": "2022-05-24T17:37:10Z",
  "aliases": [
    "CVE-2020-35650"
  ],
  "details": "Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups for LearnDash before v3.7 allow authenticated remote attackers to inject arbitrary JavaScript or HTML via the ulgm_code_redeem POST Parameter in user-code-redemption.php, the ulgm_user_first POST Parameter in user-registration-form.php, the ulgm_user_last POST Parameter in user-registration-form.php, the ulgm_user_email POST Parameter in user-registration-form.php, the ulgm_code_registration POST Parameter in user-registration-form.php, the ulgm_terms_conditions POST Parameter in user-registration-form.php, the _ulgm_total_seats POST Parameter in frontend-uo_groups_buy_courses.php, the uncanny_group_signup_user_first POST Parameter in group-registration-form.php, the uncanny_group_signup_user_last POST Parameter in group-registration-form.php, the uncanny_group_signup_user_login POST Parameter in group-registration-form.php, the uncanny_group_signup_user_email POST Parameter in group-registration-form.php, the success-invited GET Parameter in frontend-uo_groups.php, the bulk-errors GET Parameter in frontend-uo_groups.php, or the message GET Parameter in frontend-uo_groups.php.",
  "severity": [],
  "affected": [],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35650"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/michiiii/81d801f563138abe7da61e2d95342202"
    },
    {
      "type": "WEB",
      "url": "https://www.uncannyowl.com/knowledge-base/uncanny-learndash-groups-changelog"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-23T16:15:00Z"
  }
}