CVE-2018-18307

Name of the Vulnerable Software and Affected Versions AlchemyCMS version 4.1.0

Description A Stored XSS issue has been found in AlchemyCMS via the "/admin/pictures" image field. The vendor disputes the validity of this report, stating that the researcher used an authorized cookie to access a password-protected route, which would have been rejected without the session cookie.

Recommendations For version 4.1.0, as a temporary workaround, consider restricting access to the "/admin/pictures" image field until a patch is available. Avoid using the image filename field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.