CVE-2018-16361
Description
XBTIT 2.5.4's news.php is vulnerable to reflected XSS via the id parameter, allowing arbitrary JavaScript execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XBTIT 2.5.4's news.php is vulnerable to reflected XSS via the id parameter, allowing arbitrary JavaScript execution.
Vulnerability
XBTIT version 2.5.4 contains a reflected cross-site scripting (XSS) vulnerability in news.php. The id parameter is not properly sanitized, allowing an attacker to inject arbitrary HTML and JavaScript code. The anti-XSS mechanism in includes/crk_protection.php can be bypassed using a technique involving String.replace and eval as described in [1].
Exploitation
An attacker can craft a malicious link with a payload in the id parameter and trick an authenticated user into clicking it. The payload can bypass the anti-XSS filter by splitting dangerous strings with tildes and reconstructing them using JavaScript's String.replace and eval [1]. No special network position or authentication is required; the attacker only needs to convince a user to visit the crafted URL.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of session cookies, account compromise, or other malicious actions performed on behalf of the victim. The attacker gains the same privileges as the victim user.
Mitigation
No official fix has been disclosed in the available references [1]. Administrators are advised to apply proper input validation and output encoding for the id parameter in news.php, or monitor for updates from the vendor. As of the publication date, no patched version has been released.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 2.5.4+ 1 more
- (no CPE)range: = 2.5.4
- (no CPE)range: = 2.5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization of the id parameter in news.php allows reflected cross-site scripting."
Attack vector
An authenticated attacker crafts a URL to /index.php?page=news&act=edit with a malicious id parameter containing JavaScript. The id parameter value must start with a valid news item ID, followed by a payload that breaks out of the HTML attribute context [ref_id=1]. When a victim (also authenticated) visits the crafted URL, the injected script executes in their browser, enabling cookie theft including the session cookie [ref_id=1].
Affected code
The vulnerability exists in news.php, specifically in the edit action at /index.php?page=news&act=edit [ref_id=1]. The id parameter is reflected into the page output without proper sanitization or encoding.
What the fix does
The advisory recommends updating to a version that supersedes 2.5.4 or applying the linked patch [ref_id=1]. No patch diff is provided in the bundle, but the fix would involve properly escaping or sanitizing the id parameter before rendering it in the HTML output of the news edit page, preventing attribute injection and script execution.
Preconditions
- authAttacker must be authenticated to access the news edit page.
- inputThe id parameter value must start with a valid news item ID.
Reproduction
Send a GET request to /index.php?page=news&act=edit&id=2%22%3E%3Cimg%20src=x%20onerror=%22eval(/a~lert(do~cu~me~nt~.c~oo~k~ie)/.toString().replace(/~/g,%20%27%27).slice(1,-1))%22%3E%3C%22 with a valid session cookie [ref_id=1]. The injected JavaScript executes in the browser of any authenticated user who visits the URL.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/btiteam/xbtit/pull/58mitrex_refsource_CONFIRM
- rastating.github.io/xbtit-multiple-vulnerabilities/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.