CVE-2020-28847
Description
Valine v1.4.14 contains a stored XSS vulnerability in the nick parameter allowing arbitrary JavaScript injection in comments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Valine v1.4.14 contains a stored XSS vulnerability in the nick parameter allowing arbitrary JavaScript injection in comments.
Vulnerability
Valine, a fast comment system by xCss, version v1.4.14 is vulnerable to stored Cross-Site Scripting (XSS) via the nick parameter in the comment submission API at /classes/Comment [1][2]. The application fails to sanitize or encode user-supplied input for the nick field, allowing arbitrary HTML and JavaScript to be stored and executed [4].
Exploitation
An attacker can send a crafted HTTP POST request to the Valine comment endpoint with a malicious payload in the nick field [4]. The request does not require authentication or any special privileges; any visitor who can post a comment can exploit this vulnerability [4]. The attacker injects a payload such as an ` with a srcdoc` attribute containing HTML-encoded JavaScript, which is then stored and executed in the browsers of all subsequent visitors viewing the page with the injected comment [4].
Impact
Successful exploitation leads to stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser when they visit the page containing the malicious comment [2][4]. This can result in session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is high because the payload persists and affects every user who views the compromised page [4].
Mitigation
The vulnerability is fixed in Valine version v1.4.15, released on an unknown date [3]. Users should upgrade to v1.4.15 or later to mitigate the issue [3]. No workarounds are documented in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
valinenpm | < 1.4.15 | 1.4.15 |
Affected products
2- xCss/Valinedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of user-controllable input in the `nick` parameter before it is rendered in a web page, allowing stored cross-site scripting."
Attack vector
An attacker sends a POST request to `/1.1/classes/Comment` with a crafted `nick` field containing HTML and JavaScript payloads, such as an `
Affected code
The vulnerability exists in the comment submission handler at the `/1.1/classes/Comment` endpoint of Valine v1.4.14. The `nick` parameter is accepted and later rendered in the web page without sanitization, allowing arbitrary HTML/JavaScript injection [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] identifies that the `nick` field is not neutralized before being rendered as part of a web page. The remediation would require sanitizing or encoding the `nick` input on the server side before storing it, and/or escaping it on output to prevent HTML/JavaScript execution.
Preconditions
- networkThe attacker must be able to send HTTP POST requests to the Valine comment endpoint.
- configThe target Valine instance must be version 1.4.14.
- authNo authentication is required to post a comment.
Reproduction
Send a POST request to `/1.1/classes/Comment` with a JSON body containing a `nick` field that includes an HTML/JavaScript payload. For example, set `"nick": "Alex\\\"
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-6xvq-2gj8-4276ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28847ghsaADVISORY
- github.com/xCss/Valine/issues/348ghsax_refsource_MISCWEB
- github.com/xCss/Valine/releases/tag/v1.4.15ghsaWEB
News mentions
0No linked articles in our index yet.