PT-2018-14341 · Bixie · Bixie Portfolio

Iceware

Published

2018-10-09

Updated

2018-11-24

CVE-2018-18087

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Bixie Portfolio plugin version 1.2.0

Description The issue allows a logged-in user with the "Manage portfolio" privilege to inject arbitrary web script or HTML via the Image URL field in the portfolio editor. This is triggered by visiting the "/portfolio/${project title}" API endpoint.

Recommendations For Bixie Portfolio plugin version 1.2.0, consider disabling the portfolio editor for users with the "Manage portfolio" privilege until a fix is available. Restrict access to the "/portfolio/${project title}" API endpoint to minimize the risk of exploitation. Avoid using the Image URL field in the portfolio editor until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-18087

Affected Products

Bixie Portfolio

PT-2018-14341 · Bixie · Bixie Portfolio

CVE-2018-18087

Weakness Enumeration

Related Identifiers

Affected Products

References · 3