CVE-2023-33194
LOW3.7EPSS 0.06%CraftCMS stored XSS in Quick Post widget error message
Description
### Summary The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. ### Details Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. ### PoC 1. Login at admin 2. Go to setting 3. Create a Section 4. On Entry page, click Edit label 5. Inject the XSS payload into the label and save 6. On the admin dashboard choose new widget -> Quick Post 7. In Quick Post, click save with blank slug; The XSS will be executed "errors":{"title":["<script>alert('nono')</script> cannot be blank."],"slug":["Slug cannot be blank."] Fixed in https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888
Affected packages (1)
- Packagist/craftcms/cms>= 4.0.0-RC1, < 4.4.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.7 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-33194
- PATCHhttps://github.com/craftcms/cms
- WEBhttps://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888
- WEBhttps://github.com/craftcms/cms/releases/tag/4.4.6
- WEBhttps://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9