Cross-Site Scripting (XSS) Vulnerability in Symphony 3.3.0 and earlier

Cross-Site Scripting (XSS) Vulnerability in Symphony 3.3.0 and earlier

CVE-2018-16249 · LOW Severity

AV:N/AC:M/AU:S/C:N/I:P/A:N

In Symphony before 3.3.0, there is XSS in the Title under Post. The ID "articleTitle" of this is stored in the "articleTitle" JSON field, and executes a payload when accessing the /member/test/points URI, allowing remote attacks. Any Web script or HTML can be inserted by an admin-authenticated user via a crafted web site name.

Learn more about our Web App Pen Testing.