CVE-2023-23927
published 2023-03-03CVE-2023-23927: Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting…
PriorityP423medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.80%
52.0th percentile
Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | < 4.3.7 | 4.3.7 |
| craftcms | cms | >= 3.7.24 < 3.7.64 | 3.7.64 |
| craftcms | cms | >= 4.0.0-RC1 < 4.3.7 | 4.3.7 |
| craftcms | craft_cms | < 4.3.7 | 4.3.7 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Craft CMS Stored Cross-site Scripting Injection Vulnerability
ghsa·2023-03-03
CVE-2023-23927 [MEDIUM] CWE-79 Craft CMS Stored Cross-site Scripting Injection Vulnerability
Craft CMS Stored Cross-site Scripting Injection Vulnerability
### Summary
_When you insert a payload inside a label name or instruction of an entry type, an XSS happens in the quick post widget on the
admin dashboard._
### PoC
[_Complete instructions, including specific configuration details, to reproduce the vulnerability._](https://user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4)
### Impact
Tested with the free version of Craft CMS 4.3.6.1
OSV
Craft CMS Stored Cross-site Scripting Injection Vulnerability
osv·2023-03-03
CVE-2023-23927 [MEDIUM] Craft CMS Stored Cross-site Scripting Injection Vulnerability
Craft CMS Stored Cross-site Scripting Injection Vulnerability
### Summary
_When you insert a payload inside a label name or instruction of an entry type, an XSS happens in the quick post widget on the
admin dashboard._
### PoC
[_Complete instructions, including specific configuration details, to reproduce the vulnerability._](https://user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4)
### Impact
Tested with the free version of Craft CMS 4.3.6.1
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#437---2023-02-03https://github.com/craftcms/cms/security/advisories/GHSA-qcrj-6ffc-v7hqhttps://user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#437---2023-02-03https://github.com/craftcms/cms/security/advisories/GHSA-qcrj-6ffc-v7hqhttps://user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4
2023-03-03
Published