CVE-2018-1000062

Name of the Vulnerable Software and Affected Versions: WonderCMS version 2.4.0

Description: The issue allows an attacker to execute arbitrary script on an unsuspecting user's browser through a Stored Cross-Site Scripting vulnerability in the file upload functionality. This is achieved by exploiting the uploadFileAction() function, specifically when handling SVG files defined as 'svg' => 'image/svg+xml'. The attack can be performed by uploading a crafted SVG file.

Recommendations: For WonderCMS version 2.4.0, consider disabling the uploadFileAction() function or restricting the upload of SVG files until a patch is available. As a temporary workaround, avoid using the 'svg' => 'image/svg+xml' parameter in the file upload functionality to minimize the risk of exploitation.