The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user who has the "Manage portfolio" privilege can inject arbitrary web script or HTML via the Image URL field in the portfolio editor. The vulnerability is triggered by visiting /portfolio/${project_title}.
Metrics
Affected Vendors & Products
References
Link | Providers |
---|---|
https://github.com/Bixie/pagekit-portfolio/issues/44 |
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2018-10-09T20:00:00
Updated: 2024-08-05T11:01:14.782Z
Reserved: 2018-10-09T00:00:00
Link: CVE-2018-18087
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2018-10-09T20:29:00.480
Modified: 2018-11-24T02:57:20.037
Link: CVE-2018-18087
Redhat
No data.