CVE-2018-19170

Name of the Vulnerable Software and Affected Versions JPress version 1.0-rc.5

Description The issue concerns stored XSS that can be triggered via the first three input fields. This is demonstrated by the web name parameter in the "/starter-tomcat-1.0/admin/setting" API endpoint.

Recommendations For JPress version 1.0-rc.5, as a temporary workaround, consider restricting access to the "/starter-tomcat-1.0/admin/setting" API endpoint until a patch is available. Avoid using the web name parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.