CVE-2017-16636

Name of the Vulnerable Software and Affected Versions Bludit versions 1.5.2 through 2.0.1

Description The issue allows remote attackers to bypass basic editor validation and trigger cross-site scripting. This is achieved by injecting code using an editor tag not recognized by the basic validation, enabling a restricted user account to inject malicious script code and perform a persistent attack against higher privilege web-application user accounts. The attack is initiated via a GET request and completed with a follow-up POST method request to save the editor context.

Recommendations For versions 1.5.2 and 2.0.1, consider disabling the editor functionality until a patch is available to prevent the injection of malicious script code. Restrict access to the new page, new category, and edit post functions to minimize the risk of exploitation. Avoid using the editor to inject any code until the issue is resolved.