CVE-2019-16130

Name of the Vulnerable Software and Affected Versions YII2-CMS version 1.0

Description The issue concerns a Cross-Site Scripting (XSS) problem. It is located in the protectedcoremoduleshomemodelsContact.php file, specifically via the name field. This field is vulnerable when accessed through the "/contact.html" API endpoint.

Recommendations For YII2-CMS version 1.0, as a temporary workaround, consider validating and sanitizing the name field in the Contact.php file to prevent XSS attacks. Restrict access to the "/contact.html" endpoint until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.