CVE-2019-15484

Vulnerability

Overview

CVE-2019-15484 describes a stored Cross-Site Scripting (XSS) vulnerability in the Bolt content management system, affecting versions prior to 3.6.10. The vulnerability exists because the application fails to properly sanitize user-supplied input in the alt and title attributes of images. An authenticated attacker can inject arbitrary JavaScript code into these fields, which will then be executed in the browsers of other users who view the affected content [1][2].

Exploitation

Prerequisites

Exploitation requires the attacker to have an authenticated session with sufficient privileges to edit or create content containing images, specifically the ability to modify image metadata such as alt text and titles. The vulnerability is triggered when a victim (typically another editor or site visitor) loads a page that renders the maliciously crafted image, causing the injected script to execute in their browser context [2][4].

Impact

Successful exploitation allows the attacker to perform actions within the context of the victim's session, such as stealing session cookies, defacing the site, or performing privileged operations on behalf of the victim. Since the XSS is stored in the database, every user viewing the affected image is potentially compromised [1][2].

Mitigation

The vulnerability was addressed in Bolt version 3.6.10, released on August 15, 2019. The fix was implemented via pull request #7801, which added proper sanitization of image alt and title fields before rendering [2][4]. Users running Bolt 3.x are strongly advised to upgrade to 3.6.10 or later. No workaround is provided other than updating to the patched version.