CVE-2018-7261: radiant vulnerable to Cross-site Scripting
5.4
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.41847%
CWE
Published
7/27/2018
Updated
1/26/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
radiant | rubygems | = 1.1.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unsanitized user input in Personal Preferences and Configuration modules. In Rails applications, controller actions (e.g., update
) directly handle form parameters. The absence of input sanitization in these controllers (UsersController
, ConfigurationController
) and model save operations allows XSS payloads to persist. Page Parts/Fields are explicitly listed as affected components, implying their persistence logic lacks sanitization. Confidence is high for controllers due to direct parameter handling, and medium for models due to inferred storage logic.