CVE-2018-16249

Name of the Vulnerable Software and Affected Versions Symphony versions prior to 3.3.0

Description The issue allows for remote attacks via XSS in the Title under Post. The articleTitle ID is stored in the articleTitle JSON field. When accessing the "/member/test/points" URI, it executes a payload. An admin-authenticated user can insert any Web script or HTML via a crafted website name.

Recommendations For versions prior to 3.3.0, update to version 3.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /member/test/points URI until the update is applied. Additionally, restrict the ability of admin-authenticated users to insert crafted website names.