CVE-2023-31144Cross-site Scripting in Craft CMS

CWE-79Cross-site Scripting4 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
0.6%
top 31.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms CMSCraftcms Craft CMS
Timeline
PublishedMay 9

Description

Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

Packagistcraftcms/cms3.0.03.8.4+1
NVDcraftcms/craft_cms3.0.03.8.3+1
CVEListV5craftcms/cms>= 3.0.0, < 3.8.4, >= 4.0.0, < 4.4.4+1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
CVEList
Craft CMS vulnerable to cross site scripting in RSS feed widget2023-05-09
GHSA
craftcms/cms vulnerable to cross site scripting in RSS feed widget2023-05-05
OSV
craftcms/cms vulnerable to cross site scripting in RSS feed widget2023-05-05
CVE-2023-31144 — Cross-site Scripting in Craft CMS | cvebase