CVE-2018-19509

Name of the Vulnerable Software and Affected Versions Webgalamb version 7.0

Description The issue arises from the wg7.php file in Webgalamb, which makes opportunistic calls to htmlspecialchars() instead of utilizing a templating engine with proper contextual encoding. This allows for the insertion of arbitrary strings into the database, enabling any JavaScript to be executed by the administrator, resulting in a cross-site scripting (XSS) issue.

Recommendations For Webgalamb version 7.0, consider implementing a templating engine with proper contextual encoding to mitigate the risk of XSS attacks. As a temporary workaround, restrict access to the wg7.php file and ensure that all user input is thoroughly validated and sanitized to prevent malicious string insertion.