CVE-2023-33197
published 2023-05-26CVE-2023-33197: Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue…
PriorityP423medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.68%
47.8th percentile
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | >= 4.0.0-RC1 < 4.4.6 | 4.4.6 |
| craftcms | craft_cms | < 4.4.6 | 4.4.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Craft CMS stored XSS in indexedVolumes
ghsa·2023-05-26
CVE-2023-33197 [MEDIUM] CWE-79 Craft CMS stored XSS in indexedVolumes
Craft CMS stored XSS in indexedVolumes
### Summary
XSS can be triggered via the Update Asset Index utility
### PoC
1. Access setting tab
2. Create new assets
3. In assets name inject payload: "alert(26)
4. Click Utilities tab
5. Choose all volumes, or volume trigger xss
7. Click Update asset indexes.
XSS will be triggered
Json response volumes name makes triggers the payload
"session":{"id":1,"indexedVolumes":{"1":"\"alert(26)"},
It’s run on every POST request in the utility.
Resolved in https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766
OSV
Craft CMS stored XSS in indexedVolumes
osv·2023-05-26
CVE-2023-33197 [MEDIUM] Craft CMS stored XSS in indexedVolumes
Craft CMS stored XSS in indexedVolumes
### Summary
XSS can be triggered via the Update Asset Index utility
### PoC
1. Access setting tab
2. Create new assets
3. In assets name inject payload: "alert(26)
4. Click Utilities tab
5. Choose all volumes, or volume trigger xss
7. Click Update asset indexes.
XSS will be triggered
Json response volumes name makes triggers the payload
"session":{"id":1,"indexedVolumes":{"1":"\"alert(26)"},
It’s run on every POST request in the utility.
Resolved in https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766https://github.com/craftcms/cms/releases/tag/4.4.6https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxrhttps://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766https://github.com/craftcms/cms/releases/tag/4.4.6https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr
2023-05-26
Published