PT-2018-17100 · Reservo · Reservo Image Hosting

Dennis Veninga

Published

2018-01-24

Updated

2018-02-09

CVE-2018-5705

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Reservo Image Hosting version 1.6

Description: The issue allows for XSS attacks, potentially enabling attackers to steal user sessions, including those of administrators, by executing malicious code when an infected URL is accessed. This is particularly concerning due to the presence of a user/admin login interface. The vulnerability is specifically related to the search engine function, which is accessible through the "t" parameter to the "/search" URI.

Recommendations: For Reservo Image Hosting version 1.6, consider disabling the search engine function or restricting access to the /search URI until a fix is available. Additionally, avoid using the t parameter in the /search URI to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-5705

Affected Products

Reservo Image Hosting

PT-2018-17100 · Reservo · Reservo Image Hosting

CVE-2018-5705

Weakness Enumeration

Related Identifiers

Affected Products

References · 4