CVE-2018-19414

Vulnerability

Plikli CMS version 4.0.0 is affected by multiple cross-site scripting (XSS) vulnerabilities. An attacker can inject arbitrary JavaScript or HTML through three distinct parameters: the keyword GET parameter in groups.php (search view), the username POST parameter in login.php, and the date GET parameter in search.php. These parameters are not properly sanitized before being reflected back to the user. [1][2]

Exploitation

An attacker can exploit these vulnerabilities by crafting a malicious URL (for the GET parameters) or by submitting a crafted POST request (for the username parameter). No authentication is required; the attack can be performed remotely over HTTP. For example, appending keyword='+alert(1)+' to the groups.php URL will cause the injected script to execute in the victim's browser when the link is visited. The date parameter can be injected with a payload that breaks out of a ` tag. The username parameter can be exploited via a onmouseover` payload in a POST submission. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The severity is rated as High. [1]

Mitigation

The vendor fixed these issues on 3 August 2018, prior to the public advisory release, and the advisory was published on 4 December 2018. Users should upgrade to a version newer than 4.0.0 or apply the vendor's patch. No workaround is provided for versions that cannot be updated. [1][2]