The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user who has the "Manage portfolio" privilege can inject arbitrary web script or HTML via the Image URL field in the portfolio editor. The vulnerability is triggered by visiting /portfolio/${project_title}.
References
Link | Resource |
---|---|
https://github.com/Bixie/pagekit-portfolio/issues/44 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2018-10-09T20:00:00
Updated: 2018-10-09T19:57:01
Reserved: 2018-10-09T00:00:00
Link: CVE-2018-18087
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-10-09T20:29:00.480
Modified: 2018-11-24T02:57:20.037
Link: CVE-2018-18087
JSON object: View
Redhat Information
No data.
CWE