CVE-2023-48701 Statamic CMS vulnerable to Cross-site Scripting via uploaded assets

2023-11-2122:34:11

CWE-79

GitHub_M

www.cve.org

statamic cms

cross-site scripting

uploaded assets

cve-2023-48701

mime validation

front-end forms

control panel

patched

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H

EPSS

0.001

Percentile

20.6%

JSON

Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the “Forms” feature containing an assets field, or within the control panel which requires authentication. This issue has been patched on 3.4.15 and 4.36.0.

CNA Affected

[
  {
    "vendor": "statamic",
    "product": "cms",
    "versions": [
      {
        "version": "< 3.4.15 ",
        "status": "affected"
      },
      {
        "version": ">= 4.0.0, < 4.36.0",
        "status": "affected"
      }
    ]
  }
]