A vulnerability classified as problematic has been found in JPress 1.0-rc.5. Affected is an unknown code of the file starter-tomcat-1.0/admin/setting of the component Input Fields. The manipulation of the argument web_name as part of a Parameter leads to a cross site scripting vulnerability (Stored). CWE is classifying the issue as CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity. CVE summarizes:

In JPress v1.0-rc.5, there is stored XSS via each of the first three input fields to the starter-tomcat-1.0/admin/setting URI, as demonstrated by the web_name parameter.

The bug was discovered 11/07/2018. The weakness was presented 11/11/2018 (Website). The advisory is shared for download at github.com. This vulnerability is traded as CVE-2018-19170 since 11/10/2018. It is possible to launch the attack remotely. A authentication is needed for exploitation. Successful exploitation requires user interaction by the victim. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1059.007.

The vulnerability was handled as a non-public zero-day exploit for at least 4 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Name

• JPress

Version

• 1.0-rc.5

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion