CVE-2018-6518

Vulnerability

Composr CMS version 10.0.13 contains a cross-site scripting (XSS) vulnerability in the setup wizard component. The issue lies in the site_name parameter when processing a request to /adminzone/index.php with the query string page=admin-setupwizard&type=step3 [1]. An attacker can inject arbitrary JavaScript code into the site_name parameter, which is then stored and executed in the context of the admin panel [1].

Exploitation

An attacker needs to have administrative access to the Composr CMS admin panel to reach the setup wizard step 3 page [1]. The attacker sends a crafted HTTP request to the vulnerable endpoint, embedding malicious JavaScript payload in the site_name parameter [1]. No additional user interaction is required beyond the attacker performing the request, as the payload is stored and executed upon viewing the affected page [1].

Impact

Successful exploitation leads to stored cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the browser of any administrator who views the affected page, potentially leading to session hijacking, defacement, or theft of sensitive information within the admin session context [1].

Mitigation

As of the available references, no official patch or fixed version has been published for this vulnerability [1]. Administrators should avoid using the setup wizard after initial configuration, restrict access to the admin panel, and consider upgrading to a later version if available, or applying web application firewall rules to filter malicious input [1].