Description

index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.

Remediation

References

CVE-2018-20418

Related Vulnerabilities

IBM RTC Improper Restriction of XML External Entity Reference Vulnerability (CVE-2016-0284)

WordPress Plugin Watu Quiz Cross-Site Scripting (3.1.2.5)

WordPress Plugin Content Timeline Multiple SQL Injection Vulnerabilities (4.4.2)

WordPress Plugin WP Pipes Unspecified Vulnerability (1.28)

WordPress Plugin Crafty Social Buttons Cross-Site Scripting (1.5.6)

Severity

Medium

Classification

CVE-2018-20418 CWE-707 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities