WEB APPLICATION VULNERABILITIES Standard & Premium

Craft CMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-2817)

Description

A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively.

Remediation

References

Related Vulnerabilities

WordPress Plugin Flip Book 'php.php' Arbitrary File Upload (1.0)

WordPress Plugin WP Cost Estimation & Payment Forms Builder Directory Traversal (9.659)

Chamilo Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2023-3533)

WordPress Plugin Flickr Gallery PHP Object Injection (1.5.2)

Apache Tomcat Incomplete Cleanup Vulnerability (CVE-2023-42795)

Severity

Medium

Classification

CVE-2023-2817 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities