CVE-2018-16805 Information

Description

In b3log Solo 2.9.3 XSS in the Input page under the Publish Articles menu with an ID of linkAddress stored in the link JSON field allows remote attackers to inject arbitrary Web scripts or HTML via a crafted site name provided by an administrator.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/b3log/solo/issues/12501

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

4.8