CVE-2018-18943

Name of the Vulnerable Software and Affected Versions baserCMS versions prior to 4.1.4

Description An issue was discovered in the Register New Category feature of the Upload menu, where the category name can be used for XSS via the data[UploaderCategory][name] parameter to an admin/uploader/uploader categories/edit URI.

Recommendations For versions prior to 4.1.4, update to version 4.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin/uploader/uploader categories/edit URI to minimize the risk of exploitation. Avoid using the data[UploaderCategory][name] parameter in the affected API endpoint until the issue is resolved.