CVE-2018-16759

Name of the Vulnerable Software and Affected Versions EasyCMS version 1.4

Description The issue concerns the removeXSS function in EasyCMS, which is vulnerable to XSS attacks via an onhashchange event. This is due to the function's inadequate handling of certain events, allowing malicious scripts to be executed.

Recommendations For EasyCMS version 1.4, consider modifying the removeXSS function in App/Common/common.php to properly handle onhashchange events and prevent XSS attacks. As a temporary workaround, consider disabling the removeXSS function until a patch is available. Restrict access to the SearchAction.class.php module to minimize the risk of exploitation.