Lucene search

GoogleOSV:GHSA-QCRJ-6FFC-V7HQ

HistoryMar 03, 2023 - 10:45 p.m.

Craft CMS Stored Cross-site Scripting Injection Vulnerability

2023-03-0322:45:50

Google

osv.dev

craft cms

stored

cross-site scripting

vulnerability

admin dashboard

entry type

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

29.0%

JSON

Summary

When you insert a payload inside a label name or instruction of an entry type, an XSS happens in the quick post widget on the
admin dashboard.

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Impact

Tested with the free version of Craft CMS 4.3.6.1

CPENameOperatorVersion
craftcms/cmseq3.7.40.1
craftcms/cmseq3.7.33
craftcms/cmseq4.0.6
craftcms/cmseq4.3.3
craftcms/cmseq4.1.0.1
craftcms/cmseq3.7.50
craftcms/cmseq3.7.59
craftcms/cmseq4.1.4
craftcms/cmseq3.7.58
craftcms/cmseq3.7.55.2

Name	Operator	Version
craftcms/cms	eq	3.7.40.1
craftcms/cms	eq	3.7.33
craftcms/cms	eq	4.0.6
craftcms/cms	eq	4.3.3
craftcms/cms	eq	4.1.0.1
craftcms/cms	eq	3.7.50
craftcms/cms	eq	3.7.59
craftcms/cms	eq	4.1.4
craftcms/cms	eq	3.7.58
craftcms/cms	eq	3.7.55.2

Rows per page:

1-10 of 971

References

github.com/craftcms/cms

github.com/craftcms/cms/blob/develop/CHANGELOG.md#437---2023-02-03

github.com/craftcms/cms/security/advisories/GHSA-qcrj-6ffc-v7hq

nvd.nist.gov/vuln/detail/CVE-2023-23927

user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

29.0%

JSON

Related for OSV:GHSA-QCRJ-6FFC-V7HQ