Login Sign Up

CVE-2018-15899

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in MiniCMS 1.10 that allows attackers to inject malicious scripts via the 'date' parameter in post.php. This affects any website running the vulnerable MiniCMS version, potentially compromising user sessions and browser security.

💻 Affected Systems

Products:
  • MiniCMS
Versions: 1.10
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects MiniCMS installations with the vulnerable post.php endpoint accessible.

📦 What is this software?

Minicms by 1234n

View all CVEs affecting Minicms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to account takeover or data theft.

🟠

Likely Case

Attackers inject malicious JavaScript to steal session cookies or redirect users to phishing sites, compromising individual user accounts.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XSS vulnerabilities are commonly weaponized in phishing campaigns and drive-by attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11 or later

Vendor Advisory: https://github.com/bg5sbk/MiniCMS/issues/21

Restart Required: No

Instructions:

1. Download MiniCMS 1.11 or later from the official repository. 2. Backup your current installation. 3. Replace the vulnerable files with the patched version. 4. Verify the fix by testing the post.php endpoint.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to sanitize the 'date' parameter before processing

Modify post.php to include: $date = htmlspecialchars($_GET['date'], ENT_QUOTES, 'UTF-8');

Web Application Firewall Rule

all

Block malicious scripts in the date parameter using WAF rules

Add WAF rule: Block requests to post.php with date parameter containing script tags or JavaScript keywords

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) headers to restrict script execution
  • Disable or restrict access to the post.php endpoint if not required

🔍 How to Verify

Check if Vulnerable:

Test by accessing post.php?date=<script>alert('XSS')</script> and check if script executes

Check Version:

Check MiniCMS version in admin panel or read version.txt file

Verify Fix Applied:

Test the same payload after patching - it should display as text, not execute

📡 Detection & Monitoring

Log Indicators:

  • Unusual GET requests to post.php with script tags in parameters
  • Multiple failed XSS attempts in web server logs

Network Indicators:

  • HTTP requests containing script tags or JavaScript in URL parameters
  • Unusual traffic patterns to post.php endpoint

SIEM Query:

source="web_logs" AND uri="*post.php*" AND (param="*<script>*" OR param="*javascript:*")

📊 Metadata

CVE ID: CVE-2018-15899
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.24% exploit probability (47th percentile)
Published: August 27, 2018
Last Updated: February 13, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-15899, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)