VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 18, 2018· Updated Aug 5, 2024

CVE-2018-7198

CVE-2018-7198

Description

October CMS through 1.0.431 allows XSS via HTML injection on the Add Posts page due to unsanitized input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

October CMS through 1.0.431 allows XSS via HTML injection on the Add Posts page due to unsanitized input.

Vulnerability

October CMS versions through 1.0.431, when using the RainLab Blog plugin, allow stored cross-site scripting (XSS) via the Add Posts page. The blog editor does not sanitize HTML markup input by users with posting privileges, allowing arbitrary HTML to be saved and later rendered. The vulnerability is tied to the shouldCleanHtml() method in BlogMarkdown returning false [4], disabling HTML cleaning at the widget level. This affects the Blog plugin prior to commit 6ae19a6e16ef3ba730692bc899851342c858bb94 introduced around February 2018 [4].

Exploitation

An attacker who can log into the October CMS backend and access the Blog > Posts section can navigate to the Add Posts page (or edit an existing post) and insert arbitrary HTML payloads in the post content field. Steps include: (1) logging into the admin panel, (2) selecting Blog > Posts, (3) clicking Add or editing a post, (4) entering HTML such as ``, and (5) saving the post [3]. The payload is stored and executed when the post is viewed by any user, including administrators, in the front-end or back-end preview.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to information theft (session cookies, CSRF tokens), site defacement, or further privilege escalation if an administrator views compromised content [3]. The attack is persistent (stored XSS) and does not require user interaction beyond viewing the affected page.

Mitigation

A fix was committed on 2018-02-13 in commit 6ae19a6e16ef3ba730692bc899851342c858bb94 to the RainLab Blog plugin repository [4]. Users should update the blog plugin to the latest version that includes this commit. As a workaround, administrators can restrict access to the Add Posts page to trusted users only until the plugin is updated. The CMS itself may be patched in a future release; October CMS versions 1.0.431 and earlier are vulnerable [1][2]. No official CVE or KEV listing was known at the time of publication.

References
  1. GitHub - rainlab/blog-plugin: A robust blogging platform.
  2. NVD - CVE-2018-7198
  3. HTML Injection- October CMS - CVE-2018-7198
  4. Implement support for backend.allow_unsafe_markdown and improve suppo… · rainlab/blog-plugin@6ae19a6

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rainlab/blog-pluginPackagist
< 1.4.11.4.1

Affected products

1

Patches

1
6ae19a6e16ef

Implement support for backend.allow_unsafe_markdown and improve support for Swoole

https://github.com/rainlab/blog-pluginLuke TowersMay 26, 2020via ghsa
commit
2 files changed · +33 7
  • formwidgets/BlogMarkdown.php+27 7 modified
    @@ -20,6 +20,9 @@
  */
 class BlogMarkdown extends MarkdownEditor
 {
+    /**
+     * {@inheritDoc}
+     */
     public function init()
     {
         $this->viewPath = base_path().'/modules/backend/formwidgets/markdowneditor/partials';
@@ -29,12 +32,28 @@ public function init()
         parent::init();
     }
 
+    /**
+     * {@inheritDoc}
+     */
     protected function loadAssets()
     {
         $this->assetPath = '/modules/backend/formwidgets/markdowneditor/assets';
         parent::loadAssets();
     }
 
+    /**
+     * Disable HTML cleaning on the widget level since the PostModel will handle it
+     *
+     * @return boolean
+     */
+    protected function shouldCleanHtml()
+    {
+        return false;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
     public function onRefresh()
     {
         $content = post($this->formField->getName());
@@ -46,6 +65,11 @@ public function onRefresh()
         ];
     }
 
+    /**
+     * Handle images being uploaded to the blog post
+     *
+     * @return void
+     */
     protected function checkUploadPostback()
     {
         if (!post('X_BLOG_IMAGE_UPLOAD')) {
@@ -90,11 +114,9 @@ protected function checkUploadPostback()
             ];
 
             $response = Response::make()->setContent($result);
-            $response->send();
+            $this->controller->setResponse($response);
 
-            die();
-        }
-        catch (Exception $ex) {
+        } catch (Exception $ex) {
             $message = $uploadedFileName
                 ? Lang::get('cms::lang.asset.error_uploading_file', ['name' => $uploadedFileName, 'error' => $ex->getMessage()])
                 : $ex->getMessage();
@@ -105,9 +127,7 @@ protected function checkUploadPostback()
             ];
 
             $response = Response::make()->setContent($result);
-            $response->send();
-
-            die();
+            $this->controller->setResponse($response);
         }
     }
 }
  • models/Post.php+6 0 modified
    @@ -189,6 +189,12 @@ public static function formatHtml($input, $preview = false)
     {
         $result = Markdown::parse(trim($input));
 
+        // Check to see if the HTML should be cleaned from potential XSS
+        $user = BackendAuth::getUser();
+        if (!$user || !$user->hasAccess('backend.allow_unsafe_markdown')) {
+            $result = Html::clean($result);
+        }
+
         if ($preview) {
             $result = str_replace('<pre>', '<pre class="prettyprint">', $result);
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.