CVE-2018-17849
Description
Navigate CMS 2.8 has Stored XSS via a navigate_upload.php (aka File Upload) request with a multipart/form-data JavaScript payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Navigate CMS 2.8 is vulnerable to stored XSS via file upload in navigate_upload.php, allowing an authenticated attacker to inject arbitrary JavaScript.
Vulnerability
Navigate CMS 2.8 suffers from a stored cross-site scripting (XSS) vulnerability in the file upload functionality. The navigate_upload.php script does not properly sanitize file names or content when processing multipart/form-data uploads, allowing an attacker to upload a file containing JavaScript payload. The vulnerability is triggered when the uploaded file is later accessed or rendered. [1]
Exploitation
An attacker must be authenticated (single authentication required) to access the file upload feature. The attacker sends a POST request to /navigate/navigate_upload.php with a multipart/form-data payload containing JavaScript code. The attack complexity is medium, likely due to the need for a valid session and the specific content-type handling. [1]
Impact
Successful exploitation leads to stored XSS, meaning the injected script executes in the context of any user who views the uploaded file. This can result in partial integrity impact (e.g., defacement, session hijacking) but no direct confidentiality or availability impact. The CVSS score is 3.5 (Low). [1]
Mitigation
As of the publication date (2018-10-04), no official patch or fixed version has been released. Users should restrict access to the file upload functionality, implement input validation and output encoding, or consider upgrading to a later version if available. The vendor website is navigatecms.com. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =2.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `name` parameter in the file upload handler allows stored XSS."
Attack vector
An attacker with a valid session (single authentication required) sends a POST request to `navigate_upload.php` with a crafted `name` parameter containing a JavaScript payload, such as `">
Affected code
The vulnerability is in the file upload functionality handled by `navigate_upload.php`. The `name` parameter in the multipart POST request is not sanitized before being stored and later rendered, allowing injection of arbitrary HTML/JavaScript.
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] does not include remediation details. To fix this issue, the application must properly sanitize or encode the `name` parameter (and any other user-supplied input) before storing it, and escape output when rendering file names in the administrative interface.
Preconditions
- authAttacker must have a valid authenticated session (single authentication required).
- networkThe application must be accessible over the network (remote exploitation).
- inputAttacker must be able to send a multipart POST request to navigate_upload.php.
Reproduction
Send a POST request to `/navigate/navigate_upload.php` with a valid `session_id` and a multipart body containing a `name` parameter set to `">
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- cxsecurity.com/issue/WLB-2018100018mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.