CVE-2023-33195
published 2023-05-27CVE-2023-33195: Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.
PriorityP424medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.65%
46.6th percentile
Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | >= 4.3.0 < 4.4.6 | 4.4.6 |
| craftcms | craft_cms | >= 4.3.0 < 4.4.6 | 4.4.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS XSS in RSS widget feed
osv·2023-05-26
CVE-2023-33195 [MEDIUM] Craft CMS XSS in RSS widget feed
Craft CMS XSS in RSS widget feed
### Summary
A malformed RSS feed can deliver an XSS payload
### PoC
Create an RSS widget and add the domain https://blog.whitebear.vn/file/rss-xss2.rss
The XSS payload will be triggered by the title in tag ``
Resolved in https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f
GHSA
Craft CMS XSS in RSS widget feed
ghsa·2023-05-26
CVE-2023-33195 [MEDIUM] CWE-79 Craft CMS XSS in RSS widget feed
Craft CMS XSS in RSS widget feed
### Summary
A malformed RSS feed can deliver an XSS payload
### PoC
Create an RSS widget and add the domain https://blog.whitebear.vn/file/rss-xss2.rss
The XSS payload will be triggered by the title in tag ``
Resolved in https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1fhttps://github.com/craftcms/cms/releases/tag/4.4.6https://github.com/craftcms/cms/security/advisories/GHSA-qpgm-gjgf-8c2xhttps://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1fhttps://github.com/craftcms/cms/releases/tag/4.4.6https://github.com/craftcms/cms/security/advisories/GHSA-qpgm-gjgf-8c2x
2023-05-27
Published