Lucene search

GitHub_MVULNRICHMENT:CVE-2024-45406

HistorySep 09, 2024 - 4:46 p.m.

CVE-2024-45406 Craft CMS stored XSS in breadcrumb list and title fields

2024-09-0916:46:26

CWE-79

CWE-80

GitHub_M

github.com

cve-2024-45406

craft cms

stored xss

CVSS3

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

AI Score

5.9

Confidence

High

EPSS

Percentile

14.7%

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*"
    ],
    "vendor": "craftcms",
    "product": "craft_cms",
    "versions": [
      {
        "status": "affected",
        "version": "5.0.0",
        "lessThan": "5.1.2",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

github.com/craftcms/cms/commit/b7348942f8131b3868ec6f46d615baae50151bb8

github.com/craftcms/cms/security/advisories/GHSA-28h4-788g-rh42