CVE-2018-16519
Description
COYO 9.0.8, 10.0.11 and 12.0.4 has cross-site scripting (XSS) via URLs used by "iFrame" widgets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
COYO versions 9.0.8, 10.0.11, and 12.0.4 are vulnerable to persistent cross-site scripting via malicious URLs in iFrame widgets.
Vulnerability
COYO versions 9.0.8, 10.0.11, and 12.0.4 are affected by a persistent cross-site scripting (XSS) vulnerability in the iFrame widget [1][2]. The server does not validate URLs used by iFrame widgets, allowing an attacker to inject javascript: URLs that execute arbitrary JavaScript when the widget is rendered [2].
Exploitation
An attacker with the ability to create or edit pages (authenticated user with appropriate permissions) can exploit this by adding an iFrame widget and setting its URL to a javascript: URI, such as javascript:alert("XSS") [2]. Once saved, any user visiting the page will trigger the script execution in their browser context.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session within the COYO application. This can lead to data theft, session hijacking, defacement, or other malicious actions performed with the victim's privileges.
Mitigation
The vendor released a fix on 2019-01-16 [2]. Users should update to the latest version of COYO. No workarounds are documented. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of URLs used by iFrame widgets allows `javascript:` URIs to be stored and executed."
Attack vector
An attacker creates a page, adds a Content app, and inserts an iFrame widget. For the widget's URL field, the attacker supplies a `javascript:` URI such as `javascript:alert("SySS XSS");` [ref_id=1]. The server does not validate whether the URL contains JavaScript calls, so when a victim visits the page the malicious JavaScript executes in the victim's browser session [ref_id=1]. This is a persistent (stored) cross-site scripting attack because the malicious widget is saved on the server and served to all visitors [ref_id=1].
Affected code
The advisory does not specify exact file paths or functions. The vulnerability exists in the server-side handling of URLs for "iFrame" widgets in COYO versions 9.0.8, 10.0.11, and 12.0.4 [ref_id=1].
What the fix does
The advisory states the solution is to "Update to the current version of COYO" [ref_id=1]. No patch diff is provided in the bundle. The fix presumably adds validation of URLs used by iFrame widgets to reject or sanitize `javascript:` URIs and other dangerous schemes, preventing the injection of arbitrary JavaScript code [ref_id=1].
Preconditions
- authAttacker must have permission to create or edit pages with iFrame widgets in COYO
- inputVictim must visit the page containing the malicious iFrame widget
Reproduction
1. Create a page in COYO. 2. Add app > Content. 3. Add new widget > iFrame. 4. For URL, insert `javascript:alert("SySS XSS");` and save. 5. Any user visiting the page will see the JavaScript alert execute [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- packetstormsecurity.com/files/151467/COYO-9.0.8-10.0.11-12.0.4-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Feb/0mitrex_refsource_MISC
- www.coyoapp.de/en/blogmitrex_refsource_MISC
- www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-032.txtmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.