CVE-2023-33194 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Craft CMS

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-79 — Cross-site Scripting4 documents4 sources

Severity

4.8MEDIUMNVD

CNA3.7

EPSS

0.1%

top 80.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Craftcms Craft CMS Craftcms CMS Craftercms

Timeline

PublishedMay 26

Description

Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages4 packages

▶Packagistcraftcms/cms4.0.0-RC1 — 4.4.6+1

▶NVDcraftcms/craft_cms3.0.0 — 3.8.6+1

▶CVEListV5craftcms/cms>= 3.0.0, <= 3.8.5, >= 4.0.0-RC1, < 4.4.6+1

▶NVDcraftercms/craftercms4.0.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

CraftCMS stored XSS in Quick Post widget error message↗2023-05-26

▶

OSV

CraftCMS stored XSS in Quick Post widget error message↗2023-05-26

▶

GHSA

CraftCMS stored XSS in Quick Post widget error message↗2023-05-26

▶