CVE-2018-16637
Description
Stored XSS in Evolution CMS 1.4.x allows attackers to inject arbitrary JavaScript via the page weblink title parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Evolution CMS 1.4.x allows attackers to inject arbitrary JavaScript via the page weblink title parameter.
Vulnerability
Evolution CMS 1.4.x contains a stored cross-site scripting (XSS) vulnerability in the manager interface. The pagetitle field of a weblink document is not sanitized before being displayed in the document tree and other manager views. The commit [1] shows that the html_escape() function was added to escape output. Affected versions: Evolution CMS 1.4.x.
Exploitation
An attacker with at least edit_document permission can create or edit a weblink document and inject malicious JavaScript into the title parameter. When an administrator or other user views the document tree in the manager (e.g., at /manager/#?a=3), the script executes in their browser. No user interaction beyond viewing the manager page is required. [4] provides a proof of concept.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive information. The attack is stored, so it affects all users who view the affected page.
Mitigation
The fix was committed in commit 2b8aaa6224997155de0fe9440ad106bd98dc4f4b [1]. Users should upgrade to a patched version (likely 1.4.x with the fix applied). As of the publication date (2018-12-28), no official release containing the fix is mentioned, but applying the patch manually is recommended. The vulnerability is not listed on CISA KEV.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
evolutioncms/evolutionPackagist | >= 1.4, < 1.4.6 | 1.4.6 |
Affected products
2Patches
11 file changed · +11 −11
manager/actions/document_data.static.php+11 −11 modified@@ -188,9 +188,9 @@ //$class .= ($children['hidemenu'] ? ' text-muted' : ' text-primary'); //$class .= ($children['isfolder'] ? ' font-weight-bold' : ''); if($modx->hasPermission('edit_document')) { - $title = '<span class="doc-item' . $private . '">' . $icon . '<a href="index.php?a=27&id=' . $children['id'] . $add_path . '">' . '<span class="' . $class . '">' . $children['pagetitle'] . '</span></a></span>'; + $title = '<span class="doc-item' . $private . '">' . $icon . '<a href="index.php?a=27&id=' . $children['id'] . $add_path . '">' . '<span class="' . $class . '">' . html_escape($children['pagetitle'], $modx->config['modx_charset']) . '</span></a></span>'; } else { - $title = '<span class="doc-item' . $private . '">' . $icon . '<span class="' . $class . '">' . $children['pagetitle'] . '</span></span>'; + $title = '<span class="doc-item' . $private . '">' . $icon . '<span class="' . $class . '">' . html_escape($children['pagetitle'], $modx->config['modx_charset']) . '</span></span>'; } $icon_pub_unpub = (!$children['published']) ? '<a href="index.php?a=61&id=' . $children['id'] . $add_path . '" title="' . $_lang["publish_resource"] . '"><i class="' . $_style["icons_publish_document"] . '"></i></a>' : '<a href="index.php?a=62&id=' . $children['id'] . $add_path . '" title="' . $_lang["unpublish_resource"] . '"><i class="' . $_style["icons_unpublish_resource"] . '" ></i></a>'; @@ -257,7 +257,7 @@ class="' . $_style["icons_move_document"] . '"></i></a>' . $icon_pub_unpub : '') <script type="text/javascript" src="media/script/tablesort.js"></script> <h1> - <i class="fa fa-info"></i><?= iconv_substr($content['pagetitle'], 0, 50, $modx->config['modx_charset']) . (iconv_strlen($content['pagetitle'], $modx->config['modx_charset']) > 50 ? '...' : '') . ' <small>(' . $_REQUEST['id'] . ')</small>' ?> + <i class="fa fa-info"></i><?= html_escape(iconv_substr($content['pagetitle'], 0, 50, $modx->config['modx_charset']), $modx->config['modx_charset']) . (iconv_strlen($content['pagetitle'], $modx->config['modx_charset']) > 50 ? '...' : '') . ' <small>(' . (int)$_REQUEST['id'] . ')</small>' ?> </h1> <?= $_style['actionbuttons']['static']['document'] ?> @@ -279,29 +279,29 @@ class="' . $_style["icons_move_document"] . '"></i></a>' . $icon_pub_unpub : '') </tr> <tr> <td width="200" valign="top"><?= $_lang['resource_title'] ?>:</td> - <td><b><?= $content['pagetitle'] ?></b></td> + <td><b><?= html_escape($content['pagetitle'], $modx->config['modx_charset']) ?></b></td> </tr> <tr> <td width="200" valign="top"><?= $_lang['long_title'] ?>:</td> <td> - <small><?= $content['longtitle'] != '' ? $content['longtitle'] : "(<i>" . $_lang['not_set'] . "</i>)" ?></small> + <small><?= $content['longtitle'] != '' ? html_escape($content['longtitle'], $modx->config['modx_charset']) : "(<i>" . $_lang['not_set'] . "</i>)" ?></small> </td> </tr> <tr> <td valign="top"><?= $_lang['resource_description'] ?>:</td> - <td><?= $content['description'] != '' ? $content['description'] : "(<i>" . $_lang['not_set'] . "</i>)" ?></td> + <td><?= $content['description'] != '' ? html_escape($content['description'], $modx->config['modx_charset']) : "(<i>" . $_lang['not_set'] . "</i>)" ?></td> </tr> <tr> <td valign="top"><?= $_lang['resource_summary'] ?>:</td> - <td><?= $content['introtext'] != '' ? $content['introtext'] : "(<i>" . $_lang['not_set'] . "</i>)" ?></td> + <td><?= $content['introtext'] != '' ? html_escape($content['introtext'], $modx->config['modx_charset']) : "(<i>" . $_lang['not_set'] . "</i>)" ?></td> </tr> <tr> <td valign="top"><?= $_lang['type'] ?>:</td> <td><?= $content['type'] == 'reference' ? $_lang['weblink'] : $_lang['resource'] ?></td> </tr> <tr> <td valign="top"><?= $_lang['resource_alias'] ?>:</td> - <td><?= $content['alias'] != '' ? $content['alias'] : "(<i>" . $_lang['not_set'] . "</i>)" ?></td> + <td><?= $content['alias'] != '' ? html_escape($content['alias'], $modx->config['modx_charset']) : "(<i>" . $_lang['not_set'] . "</i>)" ?></td> </tr> <tr> <td colspan="2"> </td> @@ -349,7 +349,7 @@ class="' . $_style["icons_move_document"] . '"></i></a>' . $icon_pub_unpub : '') </tr> <tr> <td><?= $_lang['resource_opt_menu_index'] ?>:</td> - <td><?= $content['menuindex'] ?></td> + <td><?= html_escape($content['menuindex'], $modx->config['modx_charset']) ?></td> </tr> <tr> <td><?= $_lang['resource_opt_show_menu'] ?>:</td> @@ -371,7 +371,7 @@ class="' . $_style["icons_move_document"] . '"></i></a>' . $icon_pub_unpub : '') </tr> <tr> <td><?= $_lang['page_data_template'] ?>:</td> - <td><?= $templatename ?></td> + <td><?= html_escape($templatename, $modx->config['modx_charset']) ?></td> </tr> <tr> <td><?= $_lang['page_data_editor'] ?>:</td> @@ -393,7 +393,7 @@ class="' . $_style["icons_move_document"] . '"></i></a>' . $icon_pub_unpub : '') <div class="form-group clearfix"> <?php if($numRecords > 0) : ?> <div class="float-xs-left"> - <span class="publishedDoc"><?= $numRecords . ' ' . $_lang['resources_in_container'] ?> (<strong><?= $content['pagetitle'] ?></strong>)</span> + <span class="publishedDoc"><?= $numRecords . ' ' . $_lang['resources_in_container'] ?> (<strong><?= html_escape($content['pagetitle'], $modx->config['modx_charset']) ?></strong>)</span> </div> <?php endif; ?> <div class="float-xs-right">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-8h24-3cjr-xxmhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-16637ghsaADVISORY
- github.com/evolution-cms/evolution/commit/2b8aaa6224997155de0fe9440ad106bd98dc4f4bghsaWEB
- github.com/evolution-cms/evolution/issues/788ghsaWEB
- github.com/security-breachlock/CVE-2018-16637/blob/master/evolution_xss_stored.pdfghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.