CVE-2023-33194 – craftcms/cms

Package

Manager: composer
Name: craftcms/cms
Vulnerable Version: >=4.0.0-rc1 <4.4.6 || >=3.0.0 <3.8.6

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00045 pctl0.13027

Details

CraftCMS stored XSS in Quick Post widget error message ### Summary The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. ### Details Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. ### PoC 1. Login at admin 2. Go to setting 3. Create a Section 4. On Entry page, click Edit label 5. Inject the XSS payload into the label and save 6. On the admin dashboard choose new widget -> Quick Post 7. In Quick Post, click save with blank slug; The XSS will be executed "errors":{"title":["<script>alert('nono')</script> cannot be blank."],"slug":["Slug cannot be blank."] Fixed in https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888

Metadata

Created: 2023-05-26T13:54:11Z
Modified: 2023-05-26T21:50:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-3wxg-w96j-8hq9/GHSA-3wxg-w96j-8hq9.json
CWE IDs: ["CWE-79", "CWE-80"]
Alternative ID: GHSA-3wxg-w96j-8hq9
Finding: F425
Auto approve: 1