CVE-2018-18307
Description
A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. NOTE: the vendor's position is that this is not a valid report: "The researcher used an authorized cookie to perform the request to a password-protected route. Without that session cookie, the request would have been rejected as unauthorized."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AlchemyCMS 4.1.0 is vulnerable to stored XSS via the `/admin/pictures` image field, allowing arbitrary JavaScript execution.
Vulnerability
AlchemyCMS version 4.1.0 (stable branch) contains a stored cross-site scripting (XSS) vulnerability in the /admin/pictures image field. An authenticated user with the ability to upload images via the admin interface can inject arbitrary JavaScript code into the image field, which is then stored and executed when the image is viewed by other admin users. The vulnerability exists because user input is not properly sanitized before being stored and rendered in the admin panel. This was reported by Ismail Tasdelen and described in references [1] and [4].
Exploitation
To exploit this vulnerability, an attacker must have a valid admin session cookie (i.e., be an authenticated admin user) and upload a malicious image file containing embedded JavaScript code via the /admin/pictures endpoint. The attacker sends a POST request with a multipart form containing the image file; the request includes a CSRF token and session cookie. Upon successful upload, the malicious payload is stored on the server and will be executed in the browser of any admin user who subsequently views the image in the admin panel. No additional user interaction is required beyond viewing the stored image.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session theft, defacement of admin pages, or unauthorized actions performed on behalf of the victim admin user. The vendor has disputed the report, noting that an attacker must be authenticated with a valid session cookie to perform the upload [3]. However, if an attacker gains such access (e.g., through a separate vulnerability or shared credentials), the impact is a full compromise of the admin session and potential escalation within the CMS.
Mitigation
As of the publication date of this CVE, no official fix or patched version has been released by the vendor. AlchemyCMS 4.1.0 is an older version; the vendor recommends using the latest stable branch (currently 8.0-stable) which may address this issue [2]. If upgrading is not possible, administrators should ensure that only trusted users have admin access, and consider using a web application firewall (WAF) to filter malicious payloads in image uploads. The vendor's position is that this is not a vulnerability due to the authentication requirement, but the CVE remains assigned by MITRE [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- ghsa-coords
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-7mj4-2984-955fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-18307ghsaADVISORY
- packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.htmlghsaWEB
- github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/base_controller.rbghsaWEB
- github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/pictures_controller.rbghsaWEB
- github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/resources_controller.rbghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/alchemy_cms/CVE-2018-18307.ymlghsaWEB
- www.exploit-db.com/exploits/45601ghsaWEB
News mentions
0No linked articles in our index yet.