Typesetter · Typesetter · CVE-2018-20837
Name of the Vulnerable Software and Affected Versions:
Typesetter version 5.1
Description:
The issue concerns an XSS vulnerability in the include/admin/Menu/Ajax.php file. Specifically, it affects the "index.php/Admin/Menu/Ajax?cmd=AddHidden" endpoint, where the `title` parameter is vulnerable to XSS attacks.
Recommendations:
For Typesetter version 5.1, consider restricting access to the vulnerable "index.php/Admin/Menu/Ajax" endpoint until a patch is available. As a temporary workaround, avoid using the `cmd=AddHidden` parameter in this endpoint to minimize the risk of exploitation.