CVE-2018-20136

Name of the Vulnerable Software and Affected Versions FUEL CMS version 1.4.3

Description A security issue exists in the software, where an XSS attack can be performed via the Header or Body in the Layout Variables during the creation of a new page. This is demonstrated by the "/pages/edit/1?lang=english" API endpoint.

Recommendations For FUEL CMS version 1.4.3, as a temporary workaround, consider restricting access to the Layout Variables feature during new-page creation until a patch is available. Avoid using the /pages/edit/1?lang=english API endpoint with untrusted input for the lang variable until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.