Cross Site Scripting Vulnerability in Craft CMS by Pixel & Tonic
CVE-2022-37246

5.4MEDIUM

Key Information:

Vendor: Craftcms
Status: Craft Cms
Vendor: CVE Published:; 21 September 2022

What is CVE-2022-37246?

Craft CMS 4.2.0.1 is susceptible to a Cross Site Scripting (XSS) vulnerability found in the file src/web/assets/cp/src/js/BaseElementSelectInput.js. This flaw can potentially allow an adversary to inject malicious scripts via the elementInfo.label line, leading to unauthorized script execution in the context of the user's browser.

References

https://github.com/craftcms/cms/commit/1d5fdba23c84d6d09a...

x_refsource_MISC

https://labs.integrity.pt/advisories/cve-2022-37246/

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 21, 2022
Vulnerability Reserved
Aug 1, 2022

Craftcms

What is CVE-2022-37246?

References

CVSS V3.1

Timeline