CVE-2018-11512

Published: May 28, 2018Modified: Nov 21, 2024

4.8

Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

Stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in Creatiwity wityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to admin/settings/general.

Affected (1)

Products: Creatiwity: Witycms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Creatiwity Witycms	Version 0.6.1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

https://github.com/Creatiwity/wityCMS/commit/7967e5bf15b4d2ee6b85b56e82d7e1229147de44

Source: cve@mitre.org

Patch

https://github.com/Creatiwity/wityCMS/issues/150

Source: cve@mitre.org

ExploitIssue TrackingPatchThird Party Advisory

https://www.exploit-db.com/exploits/44790/

Source: cve@mitre.org

ExploitPatchThird Party AdvisoryVDB Entry

https://github.com/Creatiwity/wityCMS/commit/7967e5bf15b4d2ee6b85b56e82d7e1229147de44

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/Creatiwity/wityCMS/issues/150

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingPatchThird Party Advisory

https://www.exploit-db.com/exploits/44790/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party AdvisoryVDB Entry

Timeline

No history available yet.