PT-2018-15362 · Pixel & Tonic · Craft Cms

Raif Berkay Dincel

Published

2018-12-24

Updated

2022-05-14

CVE-2018-20418

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Craft CMS version 3.0.25

Description The issue allows for cross-site scripting (XSS) by saving a new title from the console tab, specifically through the "index.php?p=admin/actions/entries/save-entry" endpoint.

Recommendations For Craft CMS version 3.0.25, as a temporary workaround, consider restricting access to the "index.php?p=admin/actions/entries/save-entry" endpoint until a patch is available. Avoid using this endpoint to save new titles from the console tab until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-20418

GHSA-72PF-CVWQ-VGQG

Affected Products

Craft Cms

PT-2018-15362 · Pixel & Tonic · Craft Cms

CVE-2018-20418

Weakness Enumeration

Related Identifiers

Affected Products

References · 9