Cross-Site Scripting (XSS) Vulnerability in Symphony 3.3.0 and earlier
CVE-2018-16249 · LOW Severity
AV:N/AC:M/AU:S/C:N/I:P/A:N
In Symphony before 3.3.0, there is XSS in the Title under Post. The ID "articleTitle" of this is stored in the "articleTitle" JSON field, and executes a payload when accessing the /member/test/points URI, allowing remote attacks. Any Web script or HTML can be inserted by an admin-authenticated user via a crafted web site name.
Learn more about our Web App Pen Testing.