CVE-2018-16805

Name of the Vulnerable Software and Affected Versions b3log Solo version 2.9.3

Description The issue allows remote attackers to inject arbitrary Web scripts or HTML via a crafted site name provided by an administrator, exploiting an XSS vulnerability in the Input page under the Publish Articles menu. The vulnerability is related to the linkAddress ID stored in the link JSON field.

Recommendations For b3log Solo version 2.9.3, update to a newer version that contains a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the Input page under the Publish Articles menu to minimize the risk of exploitation. Avoid using the linkAddress ID in the link JSON field until the issue is resolved.