CVE-2018-19350

Name of the Vulnerable Software and Affected Versions SeaCMS version 6.6.4

Description The issue concerns a stored XSS that can be triggered via the member.php?action=chgpwdsubmit endpoint, specifically through the email parameter during a password change process. This can be exploited by using a data: URL within an OBJECT element.

Recommendations For SeaCMS version 6.6.4, as a temporary workaround, consider restricting access to the member.php?action=chgpwdsubmit endpoint until a patch is available. Avoid using the email parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.