CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33197 – Craft CMS stored XSS in indexedVolumes
https://notcve.org/view.php?id=CVE-2023-33197
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. • https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766 https://github.com/craftcms/cms/releases/tag/4.4.6 https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2817
https://notcve.org/view.php?id=CVE-2023-2817
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. • https://github.com/craftcms/cms/commit/7655e1009ba6cdbfb230e6bb138b775b69fc7bcb https://www.tenable.com/security/research/tra-2023-20%2C • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30130
https://notcve.org/view.php?id=CVE-2023-30130
An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. • https://craftcms.com https://tf1t.gitbook.io/mycve/craftcms/server-site-template-injection-on-craftcms-3.8.1 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-31144 – Craft CMS vulnerable to cross site scripting in RSS feed widget
https://notcve.org/view.php?id=CVE-2023-31144
Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4. • https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442 https://github.com/craftcms/cms/security/advisories/GHSA-j4mx-98hw-6rv6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2023-23927 – Craft CMS stored cross-site scripting vulnerability
https://notcve.org/view.php?id=CVE-2023-23927
Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7. • https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#437---2023-02-03 https://github.com/craftcms/cms/security/advisories/GHSA-qcrj-6ffc-v7hq https://user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •