PT-2018-13135 · Btiteam · Xbtit

Rastating

Published

2018-09-05

Updated

2020-08-24

CVE-2018-15677

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions BTITeam XBTIT version 2.5.4

Description The issue concerns a stored XSS exploit via the title of a news item in the newsfeed, accessible through the API endpoint "/index.php?page=viewnews". This exploit is also possible through CSRF.

Recommendations For version 2.5.4, consider restricting access to the newsfeed feature until a patch is available, and avoid using the title field in news items to minimize the risk of exploitation.

Exploit

Fix

CSRF

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352CWE-79

Related Identifiers

CVE-2018-15677

Affected Products

Xbtit

PT-2018-13135 · Btiteam · Xbtit

CVE-2018-15677

Weakness Enumeration

Related Identifiers

Affected Products

References · 4