QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2018-11564

Back to search

CVE-2018-11564

Published: Jun 1, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upload malicious code via the picture upload feature. A user with elevated privileges could upload a photo to the system in an SVG format. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/poc.svg" that will point to http://localhost/pagekit/storage/poc.svg. When a user comes along to click that link, it will trigger a XSS attack.

VendorProductVersions

n/a

n/a

affected
n/a

References

44837
exploit
x_refsource_EXPLOIT-DB

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now