CVE-2024-45406Cross-site Scripting in Craft CMS

CWE-79Cross-site ScriptingCWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)4 documents4 sources
Severity
4.8MEDIUMNVD
CNA5.5
EPSS
0.3%
top 46.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms Craft CMSCraftcms CMS
Timeline
PublishedSep 9

Description

Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

Packagistcraftcms/cms5.0.05.1.2
NVDcraftcms/craft_cms5.0.05.1.2
CVEListV5craftcms/cms>= 5.0.0, < 5.1.2

Patches

Patch: github.com

🔴Vulnerability Details

3
CVEList
Craft CMS stored XSS in breadcrumb list and title fields2024-09-09
GHSA
Craft CMS vulnerable to stored XSS in breadcrumb list and title fields2024-09-09
OSV
Craft CMS vulnerable to stored XSS in breadcrumb list and title fields2024-09-09
CVE-2024-45406 — Cross-site Scripting in Craft CMS | cvebase