ADVISORIES

• CVE-2018-18307 (NVD)
• GHSA-7mj4-2984-955f

GEM

alchemy_cms

SEVERITY

CVSS v3.x: 5.9 (Medium)

UNAFFECTED VERSIONS

• < 4.1.0

PATCHED VERSIONS

None.

DESCRIPTION

A stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image filename field.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2018-18307
• http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html
• https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/base_controller.rb#L15
• https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/pictures_controller.rb#L5
• https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/resources_controller.rb#L21
• https://github.com/advisories/GHSA-7mj4-2984-955f