LOWCVE-2020-36634CVSS 2.6

CVE-2020-36634: XSS in Indeed Engineering util

Platform

java

Component

indeedeng/util

Fixed in

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.20

1.0.21

1.0.22

1.0.23

1.0.24

1.0.25

1.0.26

1.0.27

1.0.28

1.0.29

1.0.30

1.0.31

1.0.32

1.0.33

1.0.34

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026

View on NVD

Save

CVE-2020-36634 describes a problematic cross-site scripting (XSS) vulnerability discovered in Indeed Engineering util. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability affects versions 1.0.0 through 1.0.33, and a fix is available in version 1.0.34.

Impact and Attack Scenarios

Successful exploitation of CVE-2020-36634 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to the theft of sensitive information, such as session cookies, which could be used to impersonate the user. Attackers could also modify the content of the web page, potentially redirecting users to malicious websites or displaying misleading information. The impact is primarily focused on user-facing components of the application, and the blast radius depends on the sensitivity of the data handled by the application.

Exploitation Context

CVE-2020-36634 was published on December 27, 2022. While no active exploitation campaigns have been publicly reported, the presence of a publicly known XSS vulnerability increases the risk of opportunistic attacks. There are no known public proof-of-concept exploits available at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.30% (53% percentile)

CVSS Vector

Affected Software

Componentindeedeng/util

VendorIndeed Engineering

Affected rangeFixed in

1.0.0 – 1.0.01.0.1

1.0.1 – 1.0.11.0.2

1.0.2 – 1.0.21.0.3

1.0.3 – 1.0.31.0.4

1.0.4 – 1.0.41.0.5

1.0.5 – 1.0.51.0.6

1.0.6 – 1.0.61.0.7

1.0.7 – 1.0.71.0.8

1.0.8 – 1.0.81.0.9

1.0.9 – 1.0.91.0.10

1.0.10 – 1.0.101.0.11

1.0.11 – 1.0.111.0.12

1.0.12 – 1.0.121.0.13

1.0.13 – 1.0.131.0.14

1.0.14 – 1.0.141.0.15

1.0.15 – 1.0.151.0.16

1.0.16 – 1.0.161.0.17

1.0.17 – 1.0.171.0.18

1.0.18 – 1.0.181.0.19

1.0.19 – 1.0.191.0.20

1.0.20 – 1.0.201.0.21

1.0.21 – 1.0.211.0.22

1.0.22 – 1.0.221.0.23

1.0.23 – 1.0.231.0.24

1.0.24 – 1.0.241.0.25

1.0.25 – 1.0.251.0.26

1.0.26 – 1.0.261.0.27

1.0.27 – 1.0.271.0.28

1.0.28 – 1.0.281.0.29

1.0.29 – 1.0.291.0.30

1.0.30 – 1.0.301.0.31

1.0.31 – 1.0.311.0.32

1.0.32 – 1.0.321.0.33

1.0.33 – 1.0.331.0.34

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2022-12-27
Published2022-12-27
Modified2024-11-19
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2020-36634 is to upgrade Indeed Engineering util to version 1.0.34 or later, which includes the fix (patch c0952a9db51a880e9544d9fac2a2218a6bfc9c63). If an immediate upgrade is not possible, consider implementing input validation and output encoding on user-supplied data to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. After upgrading, confirm the fix by attempting to inject a simple XSS payload into the vulnerable endpoint and verifying that it is properly sanitized.

How to fix

Actualice la biblioteca Indeed Engineering util a la versión 1.0.34 o superior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) presente en versiones anteriores. Puede obtener la versión actualizada desde el repositorio oficial o a través de su gestor de dependencias.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2020-36634 — XSS in Indeed Engineering util?

CVE-2020-36634 is a cross-site scripting (XSS) vulnerability affecting Indeed Engineering util versions 1.0.0 through 1.0.33, allowing attackers to inject malicious scripts.

Am I affected by CVE-2020-36634 in Indeed Engineering util?

You are affected if you are using Indeed Engineering util versions 1.0.0 to 1.0.33. Upgrade to 1.0.34 to resolve the issue.

How do I fix CVE-2020-36634 in Indeed Engineering util?

Upgrade Indeed Engineering util to version 1.0.34 or later. Implement input validation and output encoding as a temporary workaround.

Is CVE-2020-36634 being actively exploited?

No active exploitation campaigns have been publicly reported, but the vulnerability remains a risk.

Where can I find the official Indeed advisory for CVE-2020-36634?

Refer to VDB-216882 for details on this vulnerability.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Java / Maven

Detect this CVE in your project

Upload your pom.xml file and we'll tell you instantly if you're affected.

Supported formats: pom.xml · build.gradle

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: None — no availability impact. Service remains fully operational.

Scan free

Search CVEs

Upload pom.xml