CrafterCMS 4.0.2 Cross Site Scripting

`---------------------------------------------------------------------------  
CrafterCMS <= 4.0.2 Multiple Reflected Cross-Site Scripting   
Vulnerabilities  
---------------------------------------------------------------------------  
  
  
[-] Software Link:  
  
https://craftercms.org  
  
  
[-] Affected Versions:  
  
Version 4.0.2 and prior versions.  
Version 3.1.27 and prior versions.  
  
  
[-] Vulnerabilities Description:  
  
There are multiple Reflected Cross-Site Scripting vulnerabilities   
affecting CrafterCMS.  
The vulnerabilities exist in every API endpoint that reflect some input   
parameter and  
do produce XML responses. Following are some examples:  
  
• /api/1/site/url/transform - url and transformerName parameters are   
affected  
• /api/1/site/content_store/children - url parameter is affected  
• /api/1/site/content_store/item - url parameter is affected  
  
  
[-] Solution:  
  
Upgrade to version 4.0.3, 3.1.28, or later.  
  
  
[-] Disclosure Timeline:  
  
[22/11/2022] - Vendor notified  
[24/03/2023] - Fixed versions released  
[03/08/2023] - CVE number assigned  
[23/08/2023] - Publication of this advisory  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2023-4136 to these vulnerabilities.  
  
  
[-] Credits:  
  
Vulnerabilities discovered by Egidio Romano, working with IMQ Minded   
Security.  
  
  
[-] Original Advisory:  
  
https://karmainsecurity.com/KIS-2023-09  
  
  
[-] Other References:  
  
https://docs.craftercms.org/en/4.1/security/advisory.html#cv-2023080301  
  
`