Statamic CMS vulnerable to Cross-site Scripting via uploaded assets
CVE-2023-48701

6.1MEDIUM

Key Information:

Vendor

statamic

Status
cms
Vendor
CVE Published:
21 November 2023

What is CVE-2023-48701?

Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication. This issue has been patched on 3.4.15 and 4.36.0.

Affected Version(s)

cms < 3.4.15 < 3.4.15

cms >= 4.0.0, < 4.36.0 < 4.0.0, 4.36.0

References

https://github.com/statamic/cms/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/statamic/cms/releases/tag/v3.4.15
x_refsource_MISC
https://github.com/statamic/cms/releases/tag/v4.36.0
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.