CVE-2023-4136
published 2023-08-03CVE-2023-4136: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64…
PriorityP334medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.30%
66.9th percentile
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.This issue affects CrafterCMS: from 4.0.0 through 4.0.2, from 3.1.0 through 3.1.27.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftercms | craftercms | 3.1.0 – 3.1.27 | — |
| craftercms | craftercms | 4.0.0 – 4.0.2 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cross-site Scripting (XSS) in CrafterCMS
ghsa·2023-08-03
CVE-2023-4136 [HIGH] CWE-79 Cross-site Scripting (XSS) in CrafterCMS
Cross-site Scripting (XSS) in CrafterCMS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.This issue affects CrafterCMS: from 4.0.0 through 4.0.2, from 3.1.0 through 3.1.27.
OSV
Cross-site Scripting (XSS) in CrafterCMS
osv·2023-08-03
CVE-2023-4136 [HIGH] Cross-site Scripting (XSS) in CrafterCMS
Cross-site Scripting (XSS) in CrafterCMS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.This issue affects CrafterCMS: from 4.0.0 through 4.0.2, from 3.1.0 through 3.1.27.
No detection rules found.
Nuclei
CrafterCMS Engine - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-4136 [MEDIUM] CrafterCMS Engine - Cross-Site Scripting
CrafterCMS Engine - Cross-Site Scripting
CrafterCMS Engine is vulnerable to reflected cross-site scripting (XSS) via the transformerName parameter in the /api/1/site/url/transform endpoint, allowing attackers to execute arbitrary JavaScript in the context of the user.
Template:
id: CVE-2023-4136
info:
name: CrafterCMS Engine - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
CrafterCMS Engine is vulnerable to reflected cross-site scripting (XSS) via the transformerName parameter in the /api/1/site/url/transform endpoint, allowing attackers to execute arbitrary JavaScript in the context of the user.
impact: |
Unauthenticated attackers can inject malicious JavaScript through the transformerName parameter in various API endpoints to steal CrafterCMS user credentia
No writeups or analysis indexed.
http://packetstormsecurity.com/files/174304/CrafterCMS-4.0.2-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2023/Aug/30https://docs.craftercms.org/en/4.0/security/advisory.html#cv-2023080301http://packetstormsecurity.com/files/174304/CrafterCMS-4.0.2-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2023/Aug/30https://docs.craftercms.org/en/4.0/security/advisory.html#cv-2023080301
2023-08-03
Published