From f724fe3499cb679ec3a254ffb1bb84179523acdb Mon Sep 17 00:00:00 2001
From: Thomas von Deyen <thomas@vondeyen.com>
Date: Thu, 6 Nov 2025 23:28:06 +0100
Subject: [PATCH] Add patched version for CVE-2018-18307 in alchemy_cms

Fixed in v7.4.10 via filename sanitization.

The vulnerability was a stored XSS attack via the /admin/pictures image
filename field. The fix sanitizes filenames during upload to prevent
malicious content from being stored and executed.

Ref: https://github.com/AlchemyCMS/alchemy_cms/pull/3375
Ref: https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.10
---
 gems/alchemy_cms/CVE-2018-18307.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gems/alchemy_cms/CVE-2018-18307.yml b/gems/alchemy_cms/CVE-2018-18307.yml
index 8f924e29a5..ce79b501a7 100644
--- a/gems/alchemy_cms/CVE-2018-18307.yml
+++ b/gems/alchemy_cms/CVE-2018-18307.yml
@@ -11,7 +11,8 @@ description: |
 cvss_v3: 5.9
 unaffected_versions:
 - "< 4.1.0"
-notes: Never patched
+patched_versions:
+- ">= 7.4.10"
 related:
   url:
   - https://nvd.nist.gov/vuln/detail/CVE-2018-18307
@@ -19,4 +20,6 @@ related:
   - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/base_controller.rb#L15
   - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/pictures_controller.rb#L5
   - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/resources_controller.rb#L21
+  - https://github.com/AlchemyCMS/alchemy_cms/pull/3375
+  - https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.10
   - https://github.com/advisories/GHSA-7mj4-2984-955f