VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 15, 2018· Updated Aug 5, 2024

CVE-2018-19289

CVE-2018-19289

Description

Valine v1.3.3 allows HTML injection via an EMBED element with a .pdf file, enabling JavaScript execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Valine v1.3.3 allows HTML injection via an EMBED element with a .pdf file, enabling JavaScript execution.

Vulnerability

Valine v1.3.3, a comment system, is susceptible to HTML injection [1][4]. The vulnerability allows an attacker to inject arbitrary HTML through the use of an EMBED element in conjunction with a .pdf file [1]. This affects versions up to and including 1.3.3 [4].

Exploitation

An attacker can exploit this vulnerability by submitting a comment or input that includes an ` element pointing to a .pdf` file [1]. The injected HTML is not properly sanitized by Valine, allowing the embedded content to be rendered. The attacker does not need any special privileges or authentication beyond the ability to submit content to a Valine instance.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the user's browser [1]. This can lead to session theft, defacement, or other client-side attacks, compromising the confidentiality and integrity of user interactions with the affected site.

Mitigation

The vulnerability is fixed in versions after 1.3.3 [4]. A commit addressing the issue is available at [3]. Users should upgrade to the latest patched version. If upgrading is not immediately possible, input sanitization mechanisms should be reviewed and strengthened to prevent HTML injection.

References
  1. NVD - CVE-2018-19289
  2. fix & update cc #127,#125 · xCss/Valine@32d4d5e
  3. CVE-2018-19289 - GitHub Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
valinenpm
< 1.3.41.3.4

Affected products

1

Patches

1
32d4d5e68df8

fix & update cc #127,#125

https://github.com/xCss/ValinexCssNov 24, 2018via ghsa
commit
3 files changed · +5 5
  • dist/Valine.min.js+2 2 modified
  • dist/Valine.Pure.min.js+2 2 modified
  • package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "valine",
-  "version": "1.3.3",
+  "version": "1.3.4",
   "description": "A simple comment system based on Leancloud.",
   "main": "/dist/Valine.min.js",
   "author": "xCss <xioveliu@gmail.com> (https://github.com/xCss)",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.