Skip to content

Add patched version for CVE-2018-18307 in alchemy_cms#917

Merged
postmodern merged 1 commit intorubysec:masterfrom
tvdeyen:patch-cve-2018-18307-alchemy-cms
Nov 7, 2025
Merged

Add patched version for CVE-2018-18307 in alchemy_cms#917
postmodern merged 1 commit intorubysec:masterfrom
tvdeyen:patch-cve-2018-18307-alchemy-cms

Conversation

@tvdeyen
Copy link
Copy Markdown
Contributor

@tvdeyen tvdeyen commented Nov 6, 2025

This PR adds the patched version information for CVE-2018-18307 in AlchemyCMS.

Summary

The stored XSS vulnerability (CVE-2018-18307) via the /admin/pictures image filename field has been fixed in AlchemyCMS v7.4.10.

Changes

  • Added patched_versions: [">= 7.4.10"] to the advisory
  • Removed notes: Never patched as it's now patched
  • Added references to the fixing PR and release

References

The fix sanitizes filenames during upload to prevent malicious content from being stored and executed.

@tvdeyen
Add patched version for CVE-2018-18307 in alchemy_cms
f724fe3 
Fixed in v7.4.10 via filename sanitization.

The vulnerability was a stored XSS attack via the /admin/pictures image
filename field. The fix sanitizes filenames during upload to prevent
malicious content from being stored and executed.

Ref: AlchemyCMS/alchemy_cms#3375
Ref: https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.10
@postmodern postmodern merged commit 13ca6fb into rubysec:master Nov 7, 2025
1 check passed
@tvdeyen tvdeyen deleted the patch-cve-2018-18307-alchemy-cms branch November 7, 2025 06:09
@tvdeyen tvdeyen mentioned this pull request Nov 7, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@postmodern postmodern postmodern approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tvdeyen @postmodern