CVE-2018-18865

HIGH

Royal TS < 4.3.60728 and TSX < 3.3.1 - Credentials Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-18865. PoCs published by Jakub Palaczynski.

AI-analyzed exploit summary This exploit demonstrates an information disclosure vulnerability in Royal TS/X by leveraging a WebSocket connection to retrieve stored credentials without origin validation. The PoC sends crafted JSON commands to extract document names, credentials, and login information.

Description

The Royal browser extensions TS before 4.3.60728 (Release Date 2018-07-28) and TSX before 3.3.1 (Release Date 2018-09-13) allow Credentials Disclosure.

Exploits (1)

exploitdb WORKING POC
by Jakub Palaczynski · htmlwebappsjson
https://www.exploit-db.com/exploits/45783

This exploit demonstrates an information disclosure vulnerability in Royal TS/X by leveraging a WebSocket connection to retrieve stored credentials without origin validation. The PoC sends crafted JSON commands to extract document names, credentials, and login information.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Royal TS/X < v5 Beta / Royal TSX < v4 Beta
No auth needed
Prerequisites: Browser extension enabled · WebSocket service running on default port 54890
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2018/Nov/4
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45783/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/150136/Royal-TS-X-Information-Disclosure.html
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2018/Nov/25

Scores

CVSS v3 8.1
EPSS 0.1964
EPSS Percentile 95.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-200
Status published
Products (2)
royalapplications/royal_ts < 4.3.60728
royalapplications/royal_tsx < 3.3.1
Published Nov 20, 2018
Tracked Since Feb 18, 2026