Craft CMS stored XSS in indexedVolumes
CVE-2023-33197

5.4MEDIUM

Key Information:

Vendor
craftcms
Status
cms
Vendor
CVE Published:
26 May 2023

Summary

Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.

Affected Version(s)

cms >= 4.0.0-RC1, <= 4.4.5

References

https://github.com/craftcms/cms/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee...
x_refsource_MISC
https://github.com/craftcms/cms/releases/tag/4.4.6
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2023-33197 : Craft CMS stored XSS in indexedVolumes | SecurityVulnerability.io