Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-20418Cross-site Scripting in Craft CMS

CWE-79Cross-site Scripting5 documents5 sources
Severity
4.8MEDIUMNVD
EPSS
0.5%
top 35.35%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Craftcms CMSCraftcms Craft CMS
Timeline
PublishedDec 24
Latest updateMay 14

Description

index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

Packagistcraftcms/cms3.0.25
NVDcraftcms/craft_cms3.0.25

🔴Vulnerability Details

3
GHSA
Craft CMS Cross-site Scripting (XSS) Vulnerability2022-05-14
OSV
Craft CMS Cross-site Scripting (XSS) Vulnerability2022-05-14
CVEList
CVE-2018-20418: index2018-12-24

💥Exploits & PoCs

1
Exploit-DB
Craft CMS 3.0.25 - Cross-Site Scripting2018-12-27
CVE-2018-20418 — Cross-site Scripting in Craft CMS | cvebase