CVE-2018-16775

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Victor CMS through 2018-05-10. The vulnerability is located in the site name field under the "Categories" menu, specifically the "ADD" button. An attacker can inject arbitrary JavaScript or HTML into the site name input, which is then stored without proper sanitization. The affected versions are all releases up to and including 2018-05-10 [1].

Exploitation

An attacker must have administrative access to the CMS backend. The attack involves navigating to the "Categories" menu, entering malicious script into the site name field, and saving. The injected code executes when any user views the category list, leading to persistent XSS. No user interaction beyond the initial malicious save is required [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive data. The attack is stored, so the payload affects all subsequent visitors [1].

Mitigation

No official fix has been released as of the publication date (2018-09-10). Administrators should sanitize user input in the site name field and consider upgrading to a patched version if available. Until a fix is applied, avoid inputting untrusted data into the category name field [1].