CVE-2018-18087

2018-10-0920:29:00

Google

osv.dev

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

20.7%

JSON

The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user who has the “Manage portfolio” privilege can inject arbitrary web script or HTML via the Image URL field in the portfolio editor. The vulnerability is triggered by visiting /portfolio/${project_title}.

References

github.com/Bixie/pagekit-portfolio/issues/44