{"id":"CVE-2018-20418","details":"index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.","aliases":["GHSA-72pf-cvwq-vgqg"],"modified":"2026-04-10T04:10:00.614983Z","published":"2018-12-24T04:29:00.243Z","references":[{"type":"ADVISORY","url":"https://github.com/craftcms/cms/blob/master/CHANGELOG-v3.md"},{"type":"EVIDENCE","url":"https://github.com/rdincel1/Craft-CMS-3.0.25---Cross-Site-Scripting"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/46054/"},{"type":"EVIDENCE","url":"https://www.raifberkaydincel.com/craft-cms-3-0-25-cross-site-scripting-vulnerability.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/craftcms/cms","events":[{"introduced":"0"},{"last_affected":"30b95277d526af7aeff4a10c23b583fde0adb383"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.0.25"}]}}],"versions":["0.9.2063","0.9.2064","0.9.2065","0.9.2068","0.9.2071","0.9.2078","0.9.2079","0.9.2080","0.9.2081","0.9.2083","0.9.2090","0.9.2094","0.9.2100","0.9.2101","0.9.2102","0.9.2103","0.9.2106","0.9.2116","0.9.2117","0.9.2123","0.9.2124","0.9.2146","0.9.2151","0.9.2157","0.9.2167","0.9.2168","0.9.2177","0.9.2181","0.9.2184","0.9.2189","0.9.2193","0.9.2243","0.9.2246","1.0.0-alpha.2236","1.0.0-alpha.2237","1.0.0-alpha.2238","1.0.0-alpha.2241","1.0.0-alpha.2242","1.0.0-alpha.2244","1.0.0-alpha.2245","1.0.0-alpha.2247","1.0.0-alpha.2248","1.0.0-alpha.2249","1.0.2266","1.1.0-alpha.2283","1.1.0-alpha.2284","1.1.0-alpha.2285","1.1.0-alpha.2288","1.1.2291","1.2.0-alpha.2310","1.2.0-alpha.2312","1.2.0-alpha.2318","1.2.0-alpha.2319","1.2.0-alpha.2322","1.2.0-alpha.2328","1.2.0-alpha.2329","1.2.2333","1.2.2335","1.2.2336","1.2.2339","1.4.0-alpha.2488","1.4.0-alpha.2489","1.4.0-alpha.2490","1.4.0-alpha.2491","1.4.0-alpha.2492","1.4.0-alpha.2493","1.4.0-alpha.2497","1.4.0-alpha.2498","1.4.0-alpha.2499","1.4.0-alpha.2500","1.4.0-alpha.2502","1.4.0-alpha.2503","1.4.0-alpha.2505","1.4.0-alpha.2509","2.0.2524","2.0.2525","2.0.2527","2.0.2532","2.0.2533","2.0.2535","2.0.2536","2.0.2537","2.0.2538","2.0.2539","2.1.0-alpha.2546","2.1.0-alpha.2547","2.1.0-alpha.2552","2.1.2554","2.1.2555","2.1.2556","2.1.2557","2.2.0-alpha.2578","2.2.2579","2.2.2581","2.3.0-alpha.2600","2.3.0-alpha.2602","2.3.0-alpha.2603","2.3.0-alpha.2605","2.3.0-alpha.2606","2.3.0-alpha.2608","2.3.0-alpha.2610","2.3.0-alpha.2612","2.3.2615","2.3.2616","2.3.2617","3.0.0","3.0.0-RC10.1","3.0.0-RC11","3.0.0-RC12","3.0.0-RC13","3.0.0-RC14","3.0.0-RC15","3.0.0-RC16","3.0.0-RC16.1","3.0.0-RC17","3.0.0-RC17.1","3.0.0-alpha.2671","3.0.0-alpha.2681","3.0.0-alpha.2687","3.0.0-alpha.2915","3.0.0-alpha.2918","3.0.0-alpha.2928","3.0.0-alpha.2933","3.0.0-alpha.2937","3.0.0-alpha.2939","3.0.0-alpha.2942","3.0.0-alpha.2948","3.0.0.1","3.0.0.2","3.0.1","3.0.10","3.0.10.1","3.0.10.2","3.0.10.3","3.0.11","3.0.12","3.0.13","3.0.13.1","3.0.13.2","3.0.14","3.0.15","3.0.16","3.0.16.1","3.0.17","3.0.17.1","3.0.18","3.0.19","3.0.2","3.0.20","3.0.21","3.0.22","3.0.23","3.0.23.1","3.0.24","3.0.25","3.0.3","3.0.3.1","3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.0.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20418.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}