CVE-2019-15228

Published: Aug 20, 2019Modified: Nov 21, 2024

5.4

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.

Affected (1)

Products: Thedaylightstudio: Fuel Cms

Thedaylightstudio

1 product

Fuel Cms

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Thedaylightstudio Fuel Cms	Up to 1.4.4

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/daylightstudio/FUEL-CMS/issues/536

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.sevenlayers.com/index.php/237-fuelcms-1-4-4-xss

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/daylightstudio/FUEL-CMS/issues/536

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.sevenlayers.com/index.php/237-fuelcms-1-4-4-xss

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.