Chevereto
CVE-2018-12030
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Chevereto Free before 1.0.13 has XSS.
AnalysisAI
Chevereto Free before 1.0.13 has XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Affected products include: Chevereto. Version information: before 1.0.13.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Chevereto before 3.17.1 allows Cross Site Scripting (XSS) via an image title at the image upload stage. Rated medium sev
Directory traversal vulnerability in Upload/engine.php in Chevereto 1.9.1 allows remote attackers to determine the exist
Cross-site scripting (XSS) vulnerability in Upload/engine.php in Chevereto 1.91 allows remote attackers to inject arbitr
Chevereto's `/json` AJAX listing endpoint fails to enforce the private profile access control that the HTML profile rout
Stored XSS vulnerabilities in chevereto CMS before version 3.8.11, one in the user profile and one in the Exif data pars
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today