CVE-2018-17361

Name of the Vulnerable Software and Affected Versions WeaselCMS version 0.3.6

Description The issue allows remote attackers to inject arbitrary web script or HTML via the PATH INFO to index.php because $ SERVER['PHP SELF'] is mishandled. This can be exploited by sending a malicious request to the "index.php" endpoint.

Recommendations For WeaselCMS version 0.3.6, update to a version where the handling of $ SERVER['PHP SELF'] is corrected to prevent the injection of arbitrary web script or HTML. As a temporary workaround, consider validating and sanitizing the PATH INFO to prevent malicious input.