CVE-2018-19785
Description
PHP-Proxy through 5.1.0 has Cross-Site Scripting (XSS) via the URL field in index.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHP-Proxy through 5.1.0 has a reflected XSS vulnerability in the URL field of index.php, allowing arbitrary script execution.
Vulnerability
PHP-Proxy through version 5.1.0 contains a reflected Cross-Site Scripting (XSS) vulnerability in the index.php file. The application does not properly sanitize the URL parameter, allowing arbitrary HTML and JavaScript to be injected into the response. This affects all versions up to and including 5.1.0 [1][4].
Exploitation
An attacker can craft a malicious URL containing a JavaScript payload (e.g., ``) and trick a victim into visiting that URL. The payload is reflected immediately in the page without requiring authentication or any special privileges [3][4].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session on the PHP-Proxy site. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites [1].
Mitigation
The vulnerability has been addressed in commit f74d9315ded7c05030023efcbedbcb24e8cc3a64 [2]. However, as of the published date, no official patched release has been issued. Users should apply the manual fix from the commit or implement input sanitization for the URL parameter. If using version 5.1.0 or earlier, upgrading to a patched version is recommended [2][1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
athlon1600/php-proxy-appPackagist | < 3.0 | 3.0 |
Affected products
2- Range: <=5.1.0
Patches
1f74d9315ded7xss injection issue on $error_msg
1 file changed · +1 −1
templates/main.php+1 −1 modified@@ -57,7 +57,7 @@ <?php if(isset($error_msg)){ ?> <div id="error"> - <p><?php echo $error_msg; ?></p> + <p><?php echo strip_tags($error_msg); ?></p> </div> <?php } ?>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-cghj-w42g-hqmrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-19785ghsaADVISORY
- github.com/Athlon1600/php-proxy-app/commit/f74d9315ded7c05030023efcbedbcb24e8cc3a64ghsaWEB
- github.com/Athlon1600/php-proxy-app/issues/140ghsax_refsource_MISCWEB
- github.com/eddietcc/CVEnotes/blob/master/PHP-Proxy/RADME.mdghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.