CVE-2018-16358

Name of the Vulnerable Software and Affected Versions Dotclear versions prior to 2.14.2

Description A cross-site scripting (XSS) issue exists in the media manager, allowing remote authenticated users to upload HTML content containing an XSS payload with the file extension .ahtml. This occurs due to a vulnerability in the inc/core/class.dc.core.php file.

Recommendations For versions prior to 2.14.2, update to version 2.14.2 or later to resolve the issue. As a temporary workaround, consider restricting file uploads with the .ahtml extension in the media manager until a patch is applied.