CVE-2023-33197 — Craft CMS stored XSS in indexedVolumes

Description

### Summary XSS can be triggered via the Update Asset Index utility ### PoC 1. Access setting tab 2. Create new assets 3. In assets name inject payload: "<script>alert(26)</script> 4. Click Utilities tab 5. Choose all volumes, or volume trigger xss 7. Click Update asset indexes. XSS will be triggered Json response volumes name makes triggers the payload "session":{"id":1,"indexedVolumes":{"1":"\"<script>alert(26)</script>"}, It’s run on every POST request in the utility. Resolved in https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766

How to fix CVE-2023-33197

To remediate CVE-2023-33197, upgrade the affected package to a fixed version below.

—upgrade to 4.4.6 or later

Is CVE-2023-33197 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.0.0-RC1, < 4.4.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-33197
PATCHgithub.com/craftcms/cms
WEBgithub.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766
WEBgithub.com/craftcms/cms/releases/tag/4.4.6
WEB