CVE-2024-45406
published 2024-09-09CVE-2024-45406: Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.
PriorityP419medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.33%
25.2th percentile
Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | >= 5.0.0 < 5.1.2 | 5.1.2 |
| craftcms | craft_cms | >= 5.0.0 < 5.1.2 | 5.1.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Craft CMS vulnerable to stored XSS in breadcrumb list and title fields
ghsa·2024-09-09
CVE-2024-45406 [MEDIUM] CWE-79 Craft CMS vulnerable to stored XSS in breadcrumb list and title fields
Craft CMS vulnerable to stored XSS in breadcrumb list and title fields
### Summary
Multiple Stored XSS can be triggered by the breadcrumb list and title fields with user input.
### Details
1. In the **/admin/categories** page, category title isn't sanitized and triggered xss.
2. In the category edit page under the **/admin/categories/**, category title in breadcrumb list isn't sanitized and triggered xss.
3. In the **/admin/entries** page, entry title isn't sanitized and triggered xss.
4. In the entry edit page under the **/admin/entries/**, entry title in breadcrumb list isn't sanitized and triggered xss.
5. In the **/admin/myaccount** and pages under it, username or full name in breadcrumb list isn't sanitized and triggered xss.
### Impact
Malicious users can tamper with the control p
OSV
Craft CMS vulnerable to stored XSS in breadcrumb list and title fields
osv·2024-09-09
CVE-2024-45406 [MEDIUM] Craft CMS vulnerable to stored XSS in breadcrumb list and title fields
Craft CMS vulnerable to stored XSS in breadcrumb list and title fields
### Summary
Multiple Stored XSS can be triggered by the breadcrumb list and title fields with user input.
### Details
1. In the **/admin/categories** page, category title isn't sanitized and triggered xss.
2. In the category edit page under the **/admin/categories/**, category title in breadcrumb list isn't sanitized and triggered xss.
3. In the **/admin/entries** page, entry title isn't sanitized and triggered xss.
4. In the entry edit page under the **/admin/entries/**, entry title in breadcrumb list isn't sanitized and triggered xss.
5. In the **/admin/myaccount** and pages under it, username or full name in breadcrumb list isn't sanitized and triggered xss.
### Impact
Malicious users can tamper with the control p
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-09-09
Published