CVE-2018-19933

Vulnerability

Bolt CMS versions prior to 3.6.2 contain a stored Cross-Site Scripting (XSS) vulnerability in the preview functionality. When a user clicks the preview button, the Title field is not properly sanitized, allowing injection of arbitrary HTML and JavaScript. The vulnerability is demonstrated using the Title field of a Configured and New Entry. Affected versions are all releases before 3.6.2 [1][2][4].

Exploitation

An attacker must have an authenticated account with permissions to create or edit content (entries/pages). The attacker submits a POST request to /preview/page with malicious JavaScript in the title parameter. When the preview is rendered, the script executes in the context of the victim's browser. No special network position is required beyond access to the Bolt backend. The PoC demonstrates a simple alert("Raif") payload [2][4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement of the CMS interface, or redirection to malicious sites. The vulnerability is classified as moderate severity (CVSS score not specified) [1][2].

Mitigation

Upgrade to Bolt CMS version 3.6.2 or later, which contains the fix for this vulnerability. No official workaround is documented. Note that Bolt CMS 3 has been superseded by Bolt 5; users on unsupported versions should migrate to a currently supported release [1][2].