CVE-2018-15677
Description
Stored XSS in BTITeam XBTIT 2.5.4 newsfeed via news title, also exploitable via CSRF, allowing arbitrary JS execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in BTITeam XBTIT 2.5.4 newsfeed via news title, also exploitable via CSRF, allowing arbitrary JS execution.
Vulnerability
Stored cross-site scripting (XSS) exists in the newsfeed (/index.php?page=viewnews) of BTITeam XBTIT 2.5.4 via the title parameter of a news item [1]. The application includes a filter in includes/crk_protection.php that can be bypassed using JavaScript string manipulation with eval [1].
Exploitation
An attacker can create a news item with a malicious title containing a JavaScript payload, such as eval(/a~lert(do~cu~me~nt~.c~oo~k~ie)/.toString().replace(/~/g, '').slice(1,-1)), to bypass the anti-XSS filter [1]. The vulnerability is also exploitable via CSRF by tricking an authenticated administrator into submitting a crafted request to add a news item with the payload [1].
Impact
Successful exploitation allows arbitrary JavaScript execution in the browser of any user viewing the newsfeed, leading to session hijacking, cookie theft, or other client-side attacks [1]. The attacker does not need special privileges beyond the ability to add news items or trick an admin.
Mitigation
No official fix has been released; the software is likely end-of-life [1]. Workarounds include disabling the newsfeed feature, applying manual input validation and output encoding, or restricting access to the news addition functionality. No known CISA KEV listing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.5.4+ 1 more
- (no CPE)range: <=2.5.4
- (no CPE)range: = 2.5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the news title field and lack of CSRF protection on the news submission form allow stored XSS."
Attack vector
An attacker can craft a news item with a malicious title containing JavaScript (e.g., `<img src=x onerror=alert(1)>`) and submit it via the news form [ref_id=1]. Because the application lacks CSRF protection on the news submission action, an attacker can also lure an authenticated user to a page that auto-submits a form, causing the victim's browser to create a news item with the attacker's XSS payload [ref_id=1]. When any user views the newsfeed at `/index.php?page=viewnews`, the stored script executes in their browser.
Affected code
The vulnerability exists in the newsfeed feature at `/index.php?page=viewnews` and the news submission handler at `/index.php?page=news&act=confirm` [ref_id=1]. The `title` parameter of a news item is not sanitized before storage and display.
What the fix does
The advisory states the fix is to "update to the version that supersedes 2.5.4 or apply This Patch" [ref_id=1]. No patch diff is included in the bundle, so the exact code changes are unknown. The remediation would involve adding CSRF tokens to the news submission form and sanitizing or encoding the news title before rendering it on the viewnews page.
Preconditions
- authThe attacker must have the ability to submit a news item (either directly or via CSRF)
- authFor CSRF exploitation, the victim must be authenticated and visit a page controlled by the attacker
- inputThe news item with the malicious title must be viewed on /index.php?page=viewnews
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/btiteam/xbtit/pull/58mitrex_refsource_CONFIRM
- rastating.github.io/xbtit-multiple-vulnerabilities/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.