Lucene search

GitHub Advisory DatabaseGHSA-QCRJ-6FFC-V7HQ

HistoryMar 03, 2023 - 10:45 p.m.

Craft CMS Stored Cross-site Scripting Injection Vulnerability

2023-03-0322:45:50

CWE-79

GitHub Advisory Database

github.com

xss

craft cms

stored .

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

30.3%

JSON

Summary

When you insert a payload inside a label name or instruction of an entry type, an XSS happens in the quick post widget on the
admin dashboard.

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Impact

Tested with the free version of Craft CMS 4.3.6.1

Affected configurations

Vulners

Node

craftcmscmsRange3.7.24–3.7.64

craftcmscmsRange4.0.0-RC1–4.3.7

VendorProductVersionCPE
craftcmscms*cpe:2.3:a:craftcms:cms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
craftcms	cms	*	cpe:2.3:a:craftcms:cms::::::::

References

github.com/advisories/GHSA-qcrj-6ffc-v7hq

github.com/craftcms/cms/blob/develop/CHANGELOG.md#437---2023-02-03

github.com/craftcms/cms/security/advisories/GHSA-qcrj-6ffc-v7hq

nvd.nist.gov/vuln/detail/CVE-2023-23927

user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

30.3%

JSON

Related for GHSA-QCRJ-6FFC-V7HQ