CVE-2023-33197Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Craft CMS

CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-79Cross-site Scripting4 documents4 sources
Severity
5.4MEDIUMNVD
CNA5.5
EPSS
0.4%
top 40.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms Craft CMSCraftcms CMS
Timeline
PublishedMay 26

Description

Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

Packagistcraftcms/cms4.0.0-RC14.4.6
NVDcraftcms/craft_cms< 4.4.6
CVEListV5craftcms/cms>= 4.0.0-RC1, <= 4.4.5

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Craft CMS stored XSS in indexedVolumes2023-05-26
OSV
Craft CMS stored XSS in indexedVolumes2023-05-26
CVEList
Craft CMS stored XSS in indexedVolumes2023-05-26
CVE-2023-33197 — Craftcms Craft CMS vulnerability | cvebase