CVE-2023-2817
published 2023-05-26CVE-2023-2817: A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.44%
35.5th percentile
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | >= 4.0.0-RC1 < 4.4.12 | 4.4.12 |
| craftcms | craft_cms | <= 4.4.11 | — |
| craftcms | craft_cms | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Stored cross site scripting in Craft CMS
osv·2023-05-26
CVE-2023-2817 [MEDIUM] Stored cross site scripting in Craft CMS
Stored cross site scripting in Craft CMS
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. This issue was patched in version 4.4.12.
GHSA
Stored cross site scripting in Craft CMS
ghsa·2023-05-26
CVE-2023-2817 [MEDIUM] CWE-79 Stored cross site scripting in Craft CMS
Stored cross site scripting in Craft CMS
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. This issue was patched in version 4.4.12.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-05-26
Published