CVE-2018-18307
NONE EPSS 74.3%
Published Oct 16, 20187y ago · Modified Jun 17, 20262w ago
Published Oct 16, 2018 7y ago
Last Modified Jun 17, 2026 2w ago
Description
A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. NOTE: the vendor's position is that this is not a valid report: "The researcher used an authorized cookie to perform the request to a password-protected route. Without that session cookie, the request would have been rejected as unauthorized."
Threat Intelligence
EPSS Exploit Probability
74.3% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| alchemy-cms | alchemy_cms | 4.1.0 | any |
References 5
- packetstormsecurity.com http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html
- github.com https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/base_controller.rb#L15
- github.com https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/pictures_controller.rb#L5
- github.com https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/resources_controller.rb#L21
- exploit-db.com https://www.exploit-db.com/exploits/45601
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.