CVE-2023-33495
https://notcve.org/view.php?id=CVE-2023-33495
Craft CMS through 4.4.9 is vulnerable to HTML Injection. • https://medium.com/%40mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212 https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-30179
https://notcve.org/view.php?id=CVE-2023-30179
CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrators are allowed to do that by default. • https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14 https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714 https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-33195 – Craft CMS XSS in RSS widget feed
https://notcve.org/view.php?id=CVE-2023-33195
Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6. • https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f https://github.com/craftcms/cms/releases/tag/4.4.6 https://github.com/craftcms/cms/security/advisories/GHSA-qpgm-gjgf-8c2x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-33194 – CraftCMS stored XSS in Quick Post widget error message
https://notcve.org/view.php?id=CVE-2023-33194
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6. • https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888 https://github.com/craftcms/cms/releases/tag/4.4.6 https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2023-33196 – Craft CMS stored XSS in review volume
https://notcve.org/view.php?id=CVE-2023-33196
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7. • https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7 https://github.com/craftcms/cms/releases/tag/4.4.7 https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •