CVE-2019-15485

Vulnerability

Overview CVE-2019-15485 is a stored cross-site scripting (XSS) vulnerability found in Bolt CMS versions prior to 3.6.10. The flaw resides in the Controller/Async/FilesystemManager.php file, specifically in the createFolder and createFile actions. User-controlled input for folder or file names is not properly sanitized, allowing an authenticated user to inject arbitrary JavaScript code into the application [1][2].

Exploitation

Details To exploit this vulnerability, an attacker must be authenticated to the Bolt backend. The attack vector involves crafting a malicious payload as the name of a new folder or file created through the file manager. When the malicious name is displayed in administrative interfaces (e.g., file listing views), the embedded script executes in the context of the victim's browser session. No additional privileges beyond standard authenticated file access are required [2][3].

Impact

The injected script can execute arbitrary actions on behalf of the authenticated victim, including exfiltration of session cookies, modification of site content, or privilege escalation. Because the XSS is stored, every authenticated user who views the file or folder listing is affected, compounding the risk across the admin user base [1][3].

Mitigation

The vulnerability was addressed in Bolt version 3.6.10, released on 2019-08-15. Administrators should update to this version immediately. The patch was introduced via pull request #7800, which escapes output for file and folder names in the file manager UI [2][3]. No workarounds other than upgrading have been identified.