VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 21, 2018· Updated Aug 5, 2024

CVE-2018-7274

CVE-2018-7274

Description

Quarx CMS through 2.4.3 has persistent XSS in Blog Title, FAQ Question, Pages Title, Widgets Name, and Menus Name.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Quarx CMS through 2.4.3 has persistent XSS in Blog Title, FAQ Question, Pages Title, Widgets Name, and Menus Name.

Vulnerability

Quarx CMS through version 2.4.3 contains multiple persistent cross-site scripting vulnerabilities. The bugs reside in the Blog (Title), FAQ (Question), Pages (Title), Widgets (Name), and Menus (Name) input fields, where user-supplied data is not properly sanitized before storage and later display [3][4]. This affects all installations using the vulnerable versions.

Exploitation

An attacker with the ability to create or edit these entities (typically an authenticated administrator or content manager) can inject arbitrary JavaScript code into the respective fields. When an administrator or other user visits the affected pages (e.g., blog list, FAQ list, page view, widget area, menu management), the payload executes in their browser context. No special network position is required beyond normal web access [4].

Impact

Successful exploitation leads to persistent cross-site scripting (XSS), enabling the attacker to execute arbitrary JavaScript in the context of any user viewing the infected content. This can result in session hijacking, defacement, or theft of sensitive information. The scope of compromise is limited to the browser of users who view the affected pages, but the stored nature means the payload will execute repeatedly [3][4].

Mitigation

The vendor released fixed versions 2.4.5 and 2.4.6 that address these vulnerabilities [4]. Users should upgrade to the latest available version. The GitHub repository has an archived commit that shows validation was added [2]. If upgrading is not immediately possible, restrict access to the CMS admin panel and enforce strict input validation on all fields. Note that the project is archived and no longer maintained [1].

References
  1. GitHub - GrafiteInc/CMS: Decoupled CMS for any Laravel app, gain control of: pages, blogs, galleries, events, images, custom modules and more.
  2. Fixes issue #115 · GrafiteInc/CMS@dcc1a5a
  3. NVD - CVE-2018-7274
  4. Multiple Persistent Cross-Site Scripting Vulnerabilities in Quarx CMS

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
yab/quarxPackagist
< 2.4.52.4.5

Affected products

1

Patches

1
dcc1a5ac3c6d

Fixes issue #115

https://github.com/GrafiteInc/CMSMatt LantzFeb 18, 2018via ghsa
commit
8 files changed · +38 8
  • src/Controllers/BlogController.php+11 4 modified
    @@ -128,11 +128,18 @@ public function update($id, BlogRequest $request)
             return redirect(route($this->quarxRouteBase.'.blog.index'));
         }
 
-        $blog = $this->blogRepository->update($blog, $request->all());
-        Quarx::notification('Blog updated successfully.', 'success');
+        $validation = ValidationService::check(Blog::$rules);
 
-        if (!$blog) {
-            Quarx::notification('Blog could not be saved.', 'warning');
+        if (!$validation['errors']) {
+            $blog = $this->blogRepository->update($blog, $request->all());
+
+            Quarx::notification('Blog updated successfully.', 'success');
+
+            if (! $blog) {
+                Quarx::notification('Blog could not be saved.', 'warning');
+            }
+        } else {
+            return $validation['redirect'];
         }
 
         return redirect(URL::previous());
  • src/Controllers/FAQController.php+10 4 modified
    @@ -128,11 +128,17 @@ public function update($id, FAQRequest $request)
             return redirect(route($this->quarxRouteBase.'.faqs.index'));
         }
 
-        $faq = $this->faqRepository->update($faq, $request->all());
-        Quarx::notification('FAQ updated successfully.', 'success');
+        $validation = ValidationService::check(FAQ::$rules);
 
-        if (!$faq) {
-            Quarx::notification('FAQ could not be saved.', 'warning');
+        if (!$validation['errors']) {
+            $faq = $this->faqRepository->update($faq, $request->all());
+            Quarx::notification('FAQ updated successfully.', 'success');
+
+            if (!$faq) {
+                Quarx::notification('FAQ could not be saved.', 'warning');
+            }
+        } else {
+            return $validation['redirect'];
         }
 
         return redirect(URL::previous());
  • src/Repositories/BlogRepository.php+3 0 modified
    @@ -116,6 +116,7 @@ public function search($input)
      */
     public function store($payload)
     {
+        $payload['title'] = htmlentities($payload['title']);
         $payload['url'] = Quarx::convertToURL($payload['url']);
         $payload['is_published'] = (isset($payload['is_published'])) ? (bool) $payload['is_published'] : 0;
         $payload['published_at'] = (isset($payload['published_at']) && !empty($payload['published_at'])) ? Carbon::parse($payload['published_at'])->format('Y-m-d H:i:s') : Carbon::now(config('app.timezone'))->format('Y-m-d H:i:s');
@@ -183,6 +184,8 @@ public function findBlogsByTag($tag)
      */
     public function update($blog, $payload)
     {
+        $payload['title'] = htmlentities($payload['title']);
+
         if (isset($payload['hero_image'])) {
             $file = request()->file('hero_image');
             $path = FileService::saveFile($file, 'public/images', [], true);
  • src/Repositories/EventRepository.php+2 0 modified
    @@ -94,6 +94,7 @@ public function search($input)
      */
     public function store($payload)
     {
+        $payload['title'] = htmlentities($payload['title']);
         $payload['is_published'] = (isset($payload['is_published'])) ? (bool) $payload['is_published'] : 0;
         $payload['published_at'] = (isset($payload['published_at']) && !empty($payload['published_at'])) ? Carbon::parse($payload['published_at'])->format('Y-m-d H:i:s') : Carbon::now(config('app.timezone'))->format('Y-m-d H:i:s');
 
@@ -122,6 +123,7 @@ public function findEventById($id)
      */
     public function update($event, $payload)
     {
+        $payload['title'] = htmlentities($payload['title']);
         if (!empty($payload['lang']) && $payload['lang'] !== config('quarx.default-language', 'en')) {
             return $this->translationRepo->createOrUpdate($event->id, 'Yab\Quarx\Models\Event', $payload['lang'], $payload);
         } else {
  • src/Repositories/FAQRepository.php+3 0 modified
    @@ -84,6 +84,7 @@ public function search($input)
      */
     public function store($payload)
     {
+        $payload['question'] = htmlentities($payload['question']);
         $payload['is_published'] = (isset($payload['is_published'])) ? (bool) $payload['is_published'] : 0;
         $payload['published_at'] = (isset($payload['published_at']) && !empty($payload['published_at'])) ? Carbon::parse($payload['published_at'])->format('Y-m-d H:i:s') : Carbon::now(config('app.timezone'))->format('Y-m-d H:i:s');
 
@@ -112,6 +113,8 @@ public function findFaqById($id)
      */
     public function update($FAQ, $payload)
     {
+        $payload['question'] = htmlentities($payload['question']);
+
         if (!empty($payload['lang']) && $payload['lang'] !== config('quarx.default-language', 'en')) {
             return $this->translationRepo->createOrUpdate($FAQ->id, 'Yab\Quarx\Models\FAQ', $payload['lang'], $payload);
         } else {
  • src/Repositories/MenuRepository.php+2 0 modified
    @@ -65,6 +65,7 @@ public function search($input)
      */
     public function store($input)
     {
+        $input['name'] = htmlentities($input['name']);
         return Menu::create($input);
     }
 
@@ -102,6 +103,7 @@ public static function getMenuBySLUG($id)
      */
     public function update($menu, $input)
     {
+        $input['name'] = htmlentities($input['name']);
         return $menu->update($input);
     }
  • src/Repositories/PageRepository.php+3 0 modified
    @@ -85,6 +85,7 @@ public function store($payload)
             $payload['blocks'] = json_encode($blockCollection);
         }
 
+        $input['title'] = htmlentities($input['title']);
         $payload['url'] = Quarx::convertToURL($payload['url']);
         $payload['is_published'] = (isset($payload['is_published'])) ? (bool) $payload['is_published'] : 0;
         $payload['published_at'] = (isset($payload['published_at']) && !empty($payload['published_at'])) ? Carbon::parse($payload['published_at'])->format('Y-m-d H:i:s') : Carbon::now(config('app.timezone'))->format('Y-m-d H:i:s');
@@ -168,6 +169,8 @@ public function update($page, $payload)
             $payload['hero_image'] = $path['name'];
         }
 
+        $input['title'] = htmlentities($input['title']);
+
         if (!empty($payload['lang']) && $payload['lang'] !== config('quarx.default-language', 'en')) {
             return $this->translationRepo->createOrUpdate($page->id, 'Yab\Quarx\Models\Page', $payload['lang'], $payload);
         } else {
  • src/Repositories/WidgetRepository.php+4 0 modified
    @@ -65,6 +65,8 @@ public function search($input)
      */
     public function store($input)
     {
+        $input['name'] = htmlentities($input['name']);
+
         return Widget::create($input);
     }
 
@@ -102,6 +104,8 @@ public static function getWidgetBySLUG($slug)
      */
     public function update($widgets, $payload)
     {
+        $input['name'] = htmlentities($input['name']);
+
         if (!empty($payload['lang']) && $payload['lang'] !== config('quarx.default-language', 'en')) {
             return $this->translationRepo->createOrUpdate($widgets->id, 'Yab\Quarx\Models\Widget', $payload['lang'], $payload);
         } else {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.