CVE-2018-18290

Name of the Vulnerable Software and Affected Versions nc-cms versions through 2017-03-10

Description An issue was discovered that allows XSS via the HTML Source Editor in the "index.php?action=edit html&name=home content" endpoint. The vendor disputes this issue because the form requires administrator privileges and entering JavaScript is supported functionality.

Recommendations For nc-cms versions through 2017-03-10, as a temporary workaround, consider restricting access to the "index.php?action=edit html&name=home content" endpoint to minimize the risk of exploitation. Avoid using the HTML Source Editor in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.