Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-25440 — Cross-site Scripting in Civicrm

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 51.85%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Civicrm Debian Civicrm

Timeline

PublishedMay 23

Description

Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶debiandebian/civicrm

▶NVDcivicrm/civicrm5.59

🔴Vulnerability Details

GHSA

GHSA-w275-2cjx-pq96: Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5↗2023-05-23

▶

OSV

CVE-2023-25440: Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5↗2023-05-23

▶

💥Exploits & PoCs

Exploit-DB

CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)↗2023-05-23

▶

📋Vendor Advisories

Debian

CVE-2023-25440: civicrm - Stored Cross Site Scripting (XSS) vulnerability in the add contact function Civi...↗2023

▶