Description

A cross-site scripting (XSS) vulnerability in inc/core/class.dc.core.php in the media manager in Dotclear through 2.14.1 allows remote authenticated users to upload HTML content containing an XSS payload with the file extension .ahtml.

Remediation

References

CVE-2018-16358

Related Vulnerabilities

WordPress 4.0.x Multiple Vulnerabilities (4.0 - 4.0.20)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-0009)

Oracle JRE Incorrect Conversion between Numeric Types Vulnerability (CVE-2022-34169)

LimeSurvey Improper Restriction of XML External Entity Reference Vulnerability (CVE-2019-16174)

WordPress Plugin Appointment Booking Calendar and Online Scheduling-BookingPress Insecure Direct Object Reference (1.0.30)

Severity

Medium

Classification

CVE-2018-16358 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities