CiviCRM < 5.28.1 – CSRF to Stored XSS | CVE 2020-36389

Affects Plugins

civicrm

Fixed in 5.28.1

References

CVE

CVE-2020-36389

URL

https://blog.sonarsource.com/civicrm-code-execution-vulnerability-chain-explained/

YouTube Video

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CWE-502

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Dennis Brinkrolf (sonarsource)

Verified

No

WPVDB ID

8af64621-d5b2-4023-9f8c-f300ad284bfc

Timeline

Publicly Published

2021-06-22 (about 4 years ago)

Added

2021-06-23 (about 4 years ago)

Last Updated

2021-08-10 (about 4 years ago)

Other

Published

Title

Published

2026-02-09

Title

Themesflat Elementor <= 1.0.1 - Unauthenticated PHP Object Injection

Published

2025-08-19

Title

Redirection for Contact Form 7 < 3.2.5 - Unauthenticated PHP Object Injection via PHAR Deserialization

Published

2015-09-25

Title

WP Super Cache < 1.4.5 - PHP Object Injection

Published

2024-09-30

Title

Unseen Blog <= 1.0.0 - Authenticated (Contributor+) PHP Object Injection

Published

2025-10-02

Title

Schema Plugin For Divi, Gutenberg & Shortcodes <= 4.3.2 - Contributor+ Object Instantiation