PT-2018-14991 · Jtbc · Jtbc
Published
2018-11-26
·
Updated
2020-08-24
·
CVE-2018-19546
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
JTBC(PHP) version 3.0.1.7
Description
The issue concerns a CSRF vulnerability that can be exploited via the "console/xml/manage.php?type=action&action=edit" URI. It is demonstrated by an XSS payload in the
content parameter.Recommendations
For JTBC(PHP) version 3.0.1.7, consider restricting access to the "console/xml/manage.php" endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the
content parameter in the affected URI until the issue is resolved.Exploit
Fix
CSRF
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jtbc