Moderate severityOSV Advisory· Published Dec 28, 2018· Updated Aug 5, 2024

CVE-2018-16638

Description

Evolution CMS 1.4.x is vulnerable to reflected XSS via the search parameter in the manager/ endpoint, allowing arbitrary script execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Evolution CMS 1.4.x is vulnerable to reflected XSS via the search parameter in the manager/ endpoint, allowing arbitrary script execution.

Vulnerability

Evolution CMS versions 1.4.x are vulnerable to a reflected cross-site scripting (XSS) vulnerability in the manager/ endpoint. The searchfields, url, and content parameters are not properly sanitized before being reflected in the search form input fields, allowing an attacker to inject arbitrary HTML or JavaScript [1][4].

Exploitation

An attacker must be logged into the Evolution CMS backend. The attacker can craft a malicious URL containing XSS payload in the vulnerable parameters (e.g., searchfields), and trick an authenticated administrator into clicking it. When the administrator visits the crafted URL, the injected script executes in the context of their session [1][4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive data within the Evolution CMS administrative interface [1][4].

Mitigation

The vulnerability was fixed in commit b59d1f5 by applying html_escape() to the user-supplied values [2]. Users should upgrade to a version of Evolution CMS that includes this fix or apply the patch manually. No workaround is available if the patch is not applied [2][4].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
evolutioncms/evolutionPackagist	>= 1.4.0, < 1.4.6	1.4.6

Affected products

Evolution CMS/EvolutionOSV
ghsa-coords
pkg:composer/evolutioncms/evolution
Range: >= 1.4.0, < 1.4.6

Patches

b59d1f57be37

Fix #789

https://github.com/evolution-cms/evolutionAgel_NashAug 22, 2018via ghsa

commit

1 file changed · +6 −5

manager/actions/search.static.php+6 −5 modified

@@ -31,7 +31,7 @@
                 <div class="row form-row">
                     <div class="col-md-3 col-lg-2"><?= $_lang['search_criteria_top'] ?></div>
                     <div class="col-md-9 col-lg-10">
-                        <input name="searchfields" type="text" value="<?= (isset($_REQUEST['searchfields']) ? $_REQUEST['searchfields'] : '') ?>" />
+                        <input name="searchfields" type="text" value="<?= (isset($_REQUEST['searchfields']) ? html_escape($_REQUEST['searchfields'], $modx->config['modx_charset']) : '') ?>" />
                         <small class="form-text"><?= $_lang['search_criteria_top_msg'] ?></small>
                     </div>
                 </div>
@@ -58,14 +58,14 @@
                 <div class="row form-row">
                     <div class="col-md-3 col-lg-2">URL</div>
                     <div class="col-md-9 col-lg-10">
-                        <input name="url" type="text" value="<?= (isset($_REQUEST['url']) ? $_REQUEST['url'] : '') ?>" />
+                        <input name="url" type="text" value="<?= (isset($_REQUEST['url']) ? html_escape($_REQUEST['url'], $modx->config['modx_charset'])  : '') ?>" />
                         <small class="form-text"><?= $_lang['search_criteria_url_msg'] ?></small>
                     </div>
                 </div>
                 <div class="row form-row">
                     <div class="col-md-3 col-lg-2"><?= $_lang['search_criteria_content'] ?></div>
                     <div class="col-md-9 col-lg-10">
-                        <input name="content" type="text" value="<?= (isset($_REQUEST['content']) ? $_REQUEST['content'] : '') ?>" />
+                        <input name="content" type="text" value="<?= (isset($_REQUEST['content']) ? html_escape($_REQUEST['content'], $modx->config['modx_charset']) : '') ?>" />
                         <small class="form-text"><?= $_lang['search_criteria_content_msg'] ?></small>
                     </div>
                 </div>
@@ -422,14 +422,15 @@
  */
 function highlightingCoincidence($text, $search)
 {
+    global $modx;
     $regexp = '!(' . str_replace(array(
             '(',
             ')'
         ), array(
             '\(',
             '\)'
-        ), trim($search)) . ')!isu';
-    return preg_replace($regexp, '<span class="text-danger">$1</span>', $text);
+        ), html_escape(trim($search), $modx->config['modx_charset'])) . ')!isu';
+    return preg_replace($regexp, '<span class="text-danger">$1</span>', html_escape($text, $modx->config['modx_charset']));
 }
 
 /**

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9mfc-gr8c-xj4mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-16638ghsaADVISORY
github.com/evolution-cms/evolution/commit/b59d1f57be37ab752d65be4bc4d3546c36b69415ghsaWEB
github.com/evolution-cms/evolution/issues/789ghsaWEB
github.com/security-breachlock/CVE-2018-16638/blob/master/evolution_xss_reflected.pdfghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000