VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 25, 2018· Updated Aug 5, 2024

CVE-2018-10366

CVE-2018-10366

Description

The Users plugin 1.4.5 for October CMS has a stored XSS in the name field because the form_value() helper does not escape output.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Users plugin 1.4.5 for October CMS has a stored XSS in the name field because the form_value() helper does not escape output.

Vulnerability

The Users (Front-end user management) plugin version 1.4.5 for October CMS contains a stored cross-site scripting (XSS) vulnerability in the name field [1]. The plugin uses the form_value() helper in the account update form, which does not escape the output value. This allows an attacker to inject arbitrary HTML or JavaScript into the name field, which is then rendered unsanitized on the page [3].

Exploitation

An authenticated user can exploit this vulnerability by updating their profile and inserting malicious code (e.g., ``) into the name field [1]. The injected payload is stored in the database and subsequently executed in the browsers of other users who view the affected profile page, requiring no additional user interaction beyond visiting the page.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, phishing attacks, or defacement of the user-facing profile page. The impact is limited to the front-end user area; administrative backend accounts are not directly affected.

Mitigation

The vulnerability was fixed in commit 098c2bc [3], which replaced the unescaped form_value() helper with the escaped {{ user.name }} output. Users should upgrade to the latest version of the plugin, which includes this fix. No workarounds are documented; updating to a patched version is the recommended mitigation.

References
  1. NVD - CVE-2018-10366
  2. KISS and form_value() doesn't use escaping · rainlab/user-plugin@098c2bc

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rainlab/user-pluginPackagist
< 1.5.01.5.0

Affected products

1

Patches

1
098c2bc90744

KISS and form_value() doesn't use escaping

https://github.com/rainlab/user-pluginSamuel GeorgesApr 4, 2018via ghsa
commit
1 file changed · +4 4
  • components/account/update.htm+4 4 modified
    @@ -1,13 +1,13 @@
-{{ form_ajax('onUpdate', { model: user }) }}
+{{ form_ajax('onUpdate') }}
 
     <div class="form-group">
         <label for="accountName">Full Name</label>
-        <input name="name" type="text" class="form-control" id="accountName" value="{{ form_value('name') }}">
+        <input name="name" type="text" class="form-control" id="accountName" value="{{ user.name }}">
     </div>
 
     <div class="form-group">
         <label for="accountEmail">Email</label>
-        <input name="email" type="email" class="form-control" id="accountEmail" value="{{ form_value('email') }}">
+        <input name="email" type="email" class="form-control" id="accountEmail" value="{{ user.email }}">
     </div>
 
     <div class="form-group">
@@ -22,4 +22,4 @@
 
     <button type="submit" class="btn btn-default">Save</button>
 
-{{ form_close() }}
\ No newline at end of file
+{{ form_close() }}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.