CVE-2018-16248

Name of the Vulnerable Software and Affected Versions b3log Solo version 2.9.3

Description The issue allows remote attackers to inject arbitrary Web scripts or HTML via a carefully crafted site name in an admin-authenticated HTTP request. This is due to XSS in the Input page under the "Publish Articles" menu with an ID of "articleTags" stored in the tag JSON field.

Recommendations For version 2.9.3, as a temporary workaround, consider restricting access to the "Publish Articles" menu or disabling the articleTags input field until a patch is available. Avoid using the tag JSON field in the affected page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.