A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively.
[
{
"vendor": "n/a",
"product": "Craft CMS",
"versions": [
{
"version": "versions prior or equal to version 4.4.11",
"status": "affected"
}
]
}
]