Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-3169 — Cross-site Scripting in Composer

CWE-79 — Cross-site Scripting14 documents8 sources

Severity

6.1MEDIUMNVD

EPSS

32.9%

top 3.10%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Tagdiv Composer

Timeline

PublishedSep 11

Latest updateJan 30

Description

The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDtagdiv/tagdiv_composer< 4.2

🔴Vulnerability Details

CVEList

tagDiv Composer < 4.2 - Unauthenticated Stored XSS↗2023-09-11

▶

GHSA

GHSA-84rx-q376-r85h: The tagDiv Composer WordPress plugin before 4↗2023-09-11

▶

OSV

linux-bluefield vulnerabilities↗2023-04-05

▶

OSV

linux-ibm, linux-ibm-5.4 vulnerabilities↗2023-03-14

▶

OSV

linux-raspi-5.4 vulnerabilities↗2023-03-09

▶

💥Exploits & PoCs

Nuclei

tagDiv Composer < 4.2 - Stored Cross-Site Scripting

▶

📋Vendor Advisories

Chrome

Stable Channel Update for Desktop: CVE-2024-3169↗2024-01-30

▶

🕵️Threat Intelligence

Unit42

High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites↗2023-11-09

▶