PT-2018-13748 · Dedecms · Dedecms
Ghost
·
Published
2018-09-21
·
Updated
2018-11-08
·
CVE-2018-16786
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
DedeCMS version 5.7 SP2
Description
The issue allows for XSS via an onhashchange attribute in the
msg parameter to "/plus/feedback ajax.php" API endpoint.Recommendations
For DedeCMS version 5.7 SP2, consider restricting access to the "/plus/feedback ajax.php" API endpoint until a patch is available, and avoid using the
msg parameter in this endpoint to minimize the risk of exploitation.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dedecms