CVE-2023-33196Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Craft CMS

CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-79Cross-site Scripting4 documents4 sources
Severity
5.4MEDIUMNVD
CNA5.5
EPSS
0.1%
top 73.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms Craft CMSCraftcms CMS
Timeline
PublishedMay 26

Description

Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

Packagistcraftcms/cms4.0.0-RC14.4.7
NVDcraftcms/craft_cms4.0.14.4.7+1
CVEListV5craftcms/cms>= 4.0.0-RC1, <= 4.4.6

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Craft CMS stored XSS in review volume2023-05-26
OSV
Craft CMS stored XSS in review volume2023-05-26
CVEList
Craft CMS stored XSS in review volume2023-05-26
CVE-2023-33196 — Craftcms Craft CMS vulnerability | cvebase