PT-2018-18902 · Z Blogphp · Z-Blogphp
Hiwin
·
Published
2018-04-15
·
Updated
2018-05-18
·
CVE-2018-9169
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Z-BlogPHP version 1.5.1
Description
The issue allows for XSS via the
app id parameter in the zb users/plugin/AppCentre/plugin edit.php endpoint. This requires direct access by an administrator or can be exploited through CSRF.Recommendations
For Z-BlogPHP version 1.5.1, avoid using the
app id parameter in the zb users/plugin/AppCentre/plugin edit.php endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the plugin edit.php component to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Z-Blogphp