CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33495
https://notcve.org/view.php?id=CVE-2023-33495
Craft CMS through 4.4.9 is vulnerable to HTML Injection. • https://medium.com/%40mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212 https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30179
https://notcve.org/view.php?id=CVE-2023-30179
CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrators are allowed to do that by default. • https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14 https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714 https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 6EXPL: 1CVE-2023-33194 – CraftCMS stored XSS in Quick Post widget error message
https://notcve.org/view.php?id=CVE-2023-33194
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6. • https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888 https://github.com/craftcms/cms/releases/tag/4.4.6 https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33197 – Craft CMS stored XSS in indexedVolumes
https://notcve.org/view.php?id=CVE-2023-33197
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. • https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766 https://github.com/craftcms/cms/releases/tag/4.4.6 https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2817
https://notcve.org/view.php?id=CVE-2023-2817
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. • https://github.com/craftcms/cms/commit/7655e1009ba6cdbfb230e6bb138b775b69fc7bcb https://www.tenable.com/security/research/tra-2023-20%2C • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •