Add patched version for CVE-2018-18307 in alchemy_cms

tvdeyen · postmodern · commit 13ca6fb49e1b · 2025-11-06T17:55:21.000-08:00
Fixed in v7.4.10 via filename sanitization. The vulnerability was a stored XSS attack via the /admin/pictures image filename field. The fix sanitizes filenames during upload to prevent malicious content from being stored and executed. Ref: AlchemyCMS/alchemy_cms#3375 Ref: https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.10
diff --git a/gems/alchemy_cms/CVE-2018-18307.yml b/gems/alchemy_cms/CVE-2018-18307.yml
@@ -11,12 +11,15 @@ description: |
 cvss_v3: 5.9
 unaffected_versions:
 - "< 4.1.0"
-notes: Never patched
+patched_versions:
+- ">= 7.4.10"
 related:
   url:
   - https://nvd.nist.gov/vuln/detail/CVE-2018-18307
   - http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html
   - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/base_controller.rb#L15
   - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/pictures_controller.rb#L5
   - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/resources_controller.rb#L21
+  - https://github.com/AlchemyCMS/alchemy_cms/pull/3375
+  - https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.10
   - https://github.com/advisories/GHSA-7mj4-2984-955f
