Lucene search

GitHub Advisory DatabaseGHSA-38RQ-RH9W-CMW6

HistoryMay 24, 2022 - 5:34 p.m.

Cross site scripting in Crafter CMS

2022-05-2417:34:59

CWE-79

GitHub Advisory Database

github.com

crafter cms

crafter studio 3.0.1

unauthenticated attacker

malicious javascript code

stored xss

blind xss

admin panel

software

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

38.6%

JSON

In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.

Affected configurations

Vulners

Node

org.craftercmscrafter-coreRange3.0.0–3.0.1

VendorProductVersionCPE
org.craftercmscrafter-core*cpe:2.3:a:org.craftercms:crafter-core:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.craftercms	crafter-core	*	cpe:2.3:a:org.craftercms:crafter-core::::::::

References

docs.craftercms.org/en/3.0/security/advisory.html

github.com/advisories/GHSA-38rq-rh9w-cmw6

nvd.nist.gov/vuln/detail/CVE-2017-15682

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

38.6%

JSON

Related for GHSA-38RQ-RH9W-CMW6