CVE-2022-28599

Name of the Vulnerable Software and Affected Versions FUEL-CMS version 1.5.1

Description A stored cross-site scripting (XSS) issue exists that allows an authenticated user to upload a malicious .pdf file, which acts as a stored XSS payload. If this payload is triggered by an administrator, it will trigger an XSS attack.

Recommendations For FUEL-CMS version 1.5.1, consider restricting the upload of .pdf files or implementing validation to prevent malicious files from being uploaded until a patch is available. As a temporary workaround, limit administrator access to areas where the stored XSS payload could be triggered.