CVE-2018-17876
Description
Stored XSS vulnerability in Coaster CMS v5.5.0 allows attackers to inject arbitrary JavaScript into stored content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in Coaster CMS v5.5.0 allows attackers to inject arbitrary JavaScript into stored content.
Vulnerability
A Stored Cross-Site Scripting (XSS) vulnerability exists in Coaster CMS version 5.5.0. The application fails to properly sanitize user-supplied input before storing it, allowing attackers to inject malicious scripts that are later executed in the context of other users' browsers when they view the affected content [1][2].
Exploitation
An attacker with the ability to submit content (e.g., through forms or comments) can inject a crafted JavaScript payload. The payload is stored on the server and rendered to other users without sanitization. No special privileges or authentication level is required beyond the ability to submit content [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites, depending on the attacker's objectives [2].
Mitigation
As of the publication date, no official patch has been released for Coaster CMS 5.5.0. The recommended mitigation is to upgrade to a later version if available, or to implement input validation and output encoding for all user-supplied data. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- ghsa-coords
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Stored XSS via improper neutralization of user-controllable input in the CMS admin interface."
Attack vector
An attacker with access to content-editing features in Coaster CMS v5.5.0 can inject malicious JavaScript into fields that are later rendered to other users. Because the application does not neutralize user-controllable input before placing it into web page output [CWE-79], the injected script executes in the browsers of administrators or visitors who view the affected content. The attack requires the attacker to have an account with content-editing privileges, and the payload is stored server-side, affecting every subsequent page load.
Affected code
The bundle does not identify specific files, functions, or code paths. The vulnerability is present in Coaster CMS v5.5.0, a Laravel-based CMS [ref_id=1]. The advisory does not name the particular input fields or controllers involved.
What the fix does
No patch or remediation commit is included in the available bundle. The advisory does not specify a fix version or mitigation steps. Based on the CWE-79 classification, the recommended remediation would be to properly escape or sanitize user-supplied input before rendering it in HTML output, and to apply output encoding contextually (e.g., HTML entity encoding for text content, attribute encoding for tag attributes).
Preconditions
- authAttacker must have an authenticated account with content-editing privileges in Coaster CMS v5.5.0.
- inputAttacker must be able to submit content (e.g., via WYSIWYG editor or form fields) that is stored and later displayed to other users.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-77cq-wgpf-g449ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-17876ghsaADVISORY
- packetstormsecurity.com/files/149647/Coaster-CMS-5.5.0-Cross-Site-Scripting.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.