CVE-2023-28733

2023-03-3012:15:07

CWE-116

CWE-20

CWE-79

[email protected]

web.nvd.nist.gov

anymailing

joomla plugin

vulnerability

xss

cross-site scripting

templates

emails

acymailing

nvd

cve-2023-28733

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

30.0%

JSON

AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign’s creation on front-office.

This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

Affected configurations

NVD

Node

acymailingacymailingRange<8.3.0joomla\!

CPENameOperatorVersion
acymailing:acymailingacymailinglt8.3.0

CPE	Name	Operator	Version
acymailing:acymailing	acymailing	lt	8.3.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Newsletter Plugin for Joomla in the Enterprise version ",
    "vendor": "AcyMailing",
    "versions": [
      {
        "lessThan": "8.3.0",
        "status": "affected",
        "version": "0",
        "versionType": "git"
      }
    ]
  }
]