{"id":"CVE-2018-17830","details":"The $args variable in addons/mediapool/pages/index.php in REDAXO 5.6.2 is not effectively filtered, because names are not restricted (only values are restricted). The attacker can insert XSS payloads via an index.php?page=mediapool/media&opener_input_field=&args[ substring.","modified":"2026-03-13T23:19:59.301909Z","published":"2018-10-01T08:29:01.100Z","references":[{"type":"EVIDENCE","url":"https://github.com/redaxo/redaxo4/issues/421"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/redaxo/redaxo","events":[{"introduced":"0"},{"last_affected":"18a87ced450eb0f12cf43e38def358acbb34c8ec"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.6.2"}]}}],"versions":["5.0.0","5.0.0-alpha7","5.0.0-beta1","5.0.0-beta2","5.0.0-rc","5.0.1","5.1.0","5.2.0","5.2.0-beta1","5.3.0","5.4.0","5.4.0-beta1","5.4.0-beta2","5.5.0","5.5.0-beta1","5.5.1","5.6.0","5.6.0-beta1","5.6.1","5.6.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-17830.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}