The Discuss v1.2.1 module in Claromentis 8.2.2 is vulnerable to stored Cross Site Scripting (XSS). An authenticated attacker will be able to place malicious JavaScript in the discussion forum, which is present in the login landing page. A low privilege user can use this to steal the session cookies from high privilege accounts and hijack these, enabling them to hijack the elevated session and perform actions in their security context.
References
Link | Resource |
---|---|
https://seclists.org/fulldisclosure/2018/Oct/12 | Exploit Mailing List Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2018-10-08T17:00:00
Updated: 2018-10-08T16:57:01
Reserved: 2018-08-27T00:00:00
Link: CVE-2018-15903
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-10-08T17:29:00.327
Modified: 2018-11-26T17:53:21.437
Link: CVE-2018-15903
JSON object: View
Redhat Information
No data.
CWE