CVE-2018-7476 — MEDIUM (6.1)

Vulnerability Description

controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting (XSS) via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xss_clean protection mechanism is defeated by crafted input that lacks a '<' or '>' character.

CVSS Score

6.1

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Finecms	Finecms	5.3.0

Related Weaknesses (CWE)

CWE-79

References

https://gitee.com/w1tcher/finecms/commit/6978c63b3bc5e0d1038a23bfc6293ad5e9d5f53PatchThird Party Advisory
https://www.from0to1.me/index.php/archives/22/Third Party AdvisoryURL Repurposed
https://gitee.com/w1tcher/finecms/commit/6978c63b3bc5e0d1038a23bfc6293ad5e9d5f53PatchThird Party Advisory
https://www.from0to1.me/index.php/archives/22/Third Party AdvisoryURL Repurposed

FAQ

What is CVE-2018-7476?

CVE-2018-7476 is a vulnerability with a CVSS score of 6.1 (MEDIUM). controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting (XSS) via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xss_clean protection mechanis...

How severe is CVE-2018-7476?

CVE-2018-7476 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-7476?

Check the references section above for vendor advisories and patch information. Affected products include: Finecms Finecms.