CVE-2018-13002

Name of the Vulnerable Software and Affected Versions Weblication CMS Core & Grid version 12.6.24

Description A cross-site scripting (XSS) issue was found in the Weblication CMS Core & Grid. The vulnerability is located in the wFilemanager.php and index.php files of the /grid5/scripts/ modules. The injection point is the Project Title, and the execution point is the Inhaltsprojekte output listing section. Remote attackers with privileged user accounts can inject malicious script code to compromise user session credentials or manipulate the web-application module output context. The injection is done through the POST request method.

Recommendations For Weblication CMS Core & Grid version 12.6.24, consider disabling the wFilemanager.php and index.php files in the /grid5/scripts/ modules as a temporary workaround until a patch is available. Restrict access to the Inhaltsprojekte output listing section to minimize the risk of exploitation. Avoid using the Title field in the Project section until the issue is resolved.