Cross-Site Scripting in FUEL CMS Admin Console by Daylight Studio
CVE-2019-15228

5.4MEDIUM

Key Information:

Vendor: Thedaylightstudio
Status: Fuel Cms
Vendor: CVE Published:; 20 August 2019

🔔 Create Thedaylightstudio Vulnerability Alert

What is CVE-2019-15228?

FUEL CMS version 1.4.4 is susceptible to a Cross-Site Scripting (XSS) vulnerability within the Create Blocks section of its Admin console. This flaw allows attackers with authenticated accounts to potentially execute malicious scripts within a user's browser session, which can lead to cookie theft and unauthorized actions. Furthermore, even unauthenticated users can be impacted, making it critical for website administrators to apply necessary mitigations and updates to protect their systems.

References

https://www.sevenlayers.com/index.php/237-fuelcms-1-4-4-xss

x_refsource_MISC

https://github.com/daylightstudio/FUEL-CMS/issues/536

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2019
Vulnerability Reserved
Aug 19, 2019

CVE-2019-15228 Data

JSON