CVE-2018-18087

Name of the Vulnerable Software and Affected Versions Bixie Portfolio plugin version 1.2.0

Description The issue allows a logged-in user with the "Manage portfolio" privilege to inject arbitrary web script or HTML via the Image URL field in the portfolio editor. This is triggered by visiting the "/portfolio/${project title}" API endpoint.

Recommendations For Bixie Portfolio plugin version 1.2.0, consider disabling the portfolio editor for users with the "Manage portfolio" privilege until a fix is available. Restrict access to the "/portfolio/${project title}" API endpoint to minimize the risk of exploitation. Avoid using the Image URL field in the portfolio editor until the issue is resolved.