SB2018021007 - Cross-site scripting in WonderCMS
Published: February 10, 2018 Updated: August 8, 2020
Security Bulletin ID
SB2018021007
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2018-1000062)
The vulnerability allows a remote authenticated user to read and manipulate data.
WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser. This attack appear to be exploitable via Crafted SVG File.
Remediation
Install update from vendor's website.