CVE-2018-10680

Name of the Vulnerable Software and Affected Versions Z-BlogPHP version 1.5.2

Description The issue allows an administrator to inject a Cross Site Scripting (XSS) payload via the ZC BLOG NAME parameter in the "Web site settings --> Basic setting --> Website title" section, accessible through the zb system/cmd.php endpoint, specifically the "Web site settings --> Basic setting --> Website title" page. The vendor has disputed the security relevance of this issue, characterizing it as a functional bug rather than a security vulnerability.

Recommendations For Z-BlogPHP version 1.5.2, as a temporary workaround, consider restricting access to the ZC BLOG NAME parameter in the zb system/cmd.php endpoint to minimize the risk of exploitation. Avoid using the ZC BLOG NAME parameter in the affected section until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.