Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-9554 — Cross-site Scripting in Craft CMS

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

1.5%

top 18.57%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Craftcms Craft CMS

Timeline

PublishedDec 31

Latest updateMay 24

Description

In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDcraftcms/craft_cms3.1.12

🔴Vulnerability Details

GHSA

GHSA-3ffr-8mcm-r575: In the 3↗2022-05-24

▶

💥Exploits & PoCs

Exploit-DB

Craft CMS 3.1.12 Pro - Cross-Site Scripting↗2019-03-04

▶