CVE-2023-33194
Summary
| CVE | CVE-2023-33194 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-05-26 21:15:00 UTC |
| Updated | 2023-06-02 18:43:00 UTC |
| Description | Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6. |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Craftcms | Craft Cms | All | All | All | All |
| Application | Craftercms | Craftercms | 4.0.0 | - | All | All |
| Application | Craftercms | Craftercms | 4.0.0 | rc1 | All | All |
| Application | Craftercms | Craftercms | 4.0.0 | rc2 | All | All |
| Application | Craftercms | Craftercms | 4.0.0 | rc3 | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Stored XSS in Quick Post widget error message · Advisory · craftcms/cms · GitHub | MISC | github.com | |
| Release 4.4.6 · craftcms/cms · GitHub | MISC | github.com | |
| Fixed an XSS vulnerability · craftcms/cms@9d0cd0b · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.