cbcvebase.
CVE-2023-23927
published 2023-03-03

CVE-2023-23927: Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting…

PriorityP423medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.80%
52.0th percentile
Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.

Affected

4 ranges
VendorProductVersion rangeFixed in
craftcmscms< 4.3.74.3.7
craftcmscms>= 3.7.24 < 3.7.643.7.64
craftcmscms>= 4.0.0-RC1 < 4.3.74.3.7
craftcmscraft_cms< 4.3.74.3.7
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.