Lucene search

GitHub Advisory DatabaseGHSA-MW37-WX8P-GP45

HistorySep 17, 2022 - 12:00 a.m.

Craft CMS vulnerable to Cross-site Scripting via entry revisions and drafts

2022-09-1700:00:30

CWE-79

GitHub Advisory Database

github.com

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

22.9%

JSON

Craft CMS 3.70-RC1–3.7.55.1 and 4.0.0-RC1–4.2.0.1 are vulnerable to Cross Site Scripting (XSS) via entry revisions and drafts. Versions 3.7.55.2 and 4.2.1 contain patches for this issue.

Affected configurations

Vulners

Node

craftcmscraft_cmsRange<4.2.1

craftcmscraft_cmsRange<3.7.55.2

CPENameOperatorVersion
craftcms/cmslt4.2.1
craftcms/cmslt3.7.55.2

CPE	Name	Operator	Version
	craftcms/cms	lt	4.2.1
	craftcms/cms	lt	3.7.55.2

References

craft.com

github.com/advisories/GHSA-mw37-wx8p-gp45

github.com/craftcms/cms/blob/develop/CHANGELOG.md#421---2022-08-09

github.com/craftcms/cms/commit/7139213dbd9e177a3528aac8e2db8de91830f118

github.com/craftcms/cms/commit/919c9074ff8596bf30a629b0888c529793e9a903

github.com/craftcms/cms/commit/f0d9b8a1e3ac005a2418f7d3d9059b49a96e73ea

labs.integrity.pt/advisories/cve-2022-37251/

nvd.nist.gov/vuln/detail/CVE-2022-37251