CVE-2019-15483
Description
Bolt CMS before 3.6.10 contains a stored XSS vulnerability where a title field is not sanitized before being logged, allowing authenticated users to execute arbitrary JavaScript in the system log viewer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bolt CMS before 3.6.10 contains a stored XSS vulnerability where a title field is not sanitized before being logged, allowing authenticated users to execute arbitrary JavaScript in the system log viewer.
Vulnerability
Overview
CVE-2019-15483 is a stored cross-site scripting (XSS) vulnerability in Bolt CMS versions prior to 3.6.10. The root cause is improper sanitization of user-supplied title input when it is written to the system log. When a title containing malicious JavaScript is saved, it is later rendered unsanitized in the system log viewer, leading to script execution [1][2].
Exploitation
Prerequisites
An attacker must have authenticated access to Bolt and the ability to create or edit content that includes a title field. The malicious title is stored and subsequently displayed in the system log, which is typically accessed by administrators. No additional privileges beyond basic content creation are required [2][4].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an administrator's session. This can lead to session hijacking, theft of sensitive data, or further compromise of the CMS instance. The vulnerability is classified as a security issue and was responsibly disclosed [4].
Mitigation
The vulnerability is fixed in Bolt version 3.6.10, released on August 15, 2019. Users are strongly advised to upgrade to this version or later. No workarounds are documented [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bolt/boltPackagist | < 3.6.10 | 3.6.10 |
Affected products
2- Bolt/Boltdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-ph84-vg7q-fqq8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-15483ghsaADVISORY
- github.com/bolt/bolt/pull/7802ghsax_refsource_MISCWEB
- github.com/bolt/bolt/releases/tag/v3.6.10ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.