CVE-2018-18307

NONE EPSS 74.3%
Published Oct 16, 20187y ago · Modified Jun 17, 20262w ago
Find Similar
Published Oct 16, 2018 7y ago
Last Modified Jun 17, 2026 2w ago

Description

A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. NOTE: the vendor's position is that this is not a valid report: "The researcher used an authorized cookie to perform the request to a password-protected route. Without that session cookie, the request would have been rejected as unauthorized."

Threat Intelligence

EPSS Exploit Probability
74.3% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
alchemy-cmsalchemy_cms4.1.0any

References 5

  • packetstormsecurity.com http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html
    ExploitThird Party AdvisoryVDB Entry
  • github.com https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/base_controller.rb#L15
  • github.com https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/pictures_controller.rb#L5
  • github.com https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/resources_controller.rb#L21
  • exploit-db.com https://www.exploit-db.com/exploits/45601

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.