CVE-2023-33195 – Craft CMS XSS in RSS widget feed
https://notcve.org/view.php?id=CVE-2023-33195
Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6. • https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f https://github.com/craftcms/cms/releases/tag/4.4.6 https://github.com/craftcms/cms/security/advisories/GHSA-qpgm-gjgf-8c2x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-33194 – CraftCMS stored XSS in Quick Post widget error message
https://notcve.org/view.php?id=CVE-2023-33194
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6. • https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888 https://github.com/craftcms/cms/releases/tag/4.4.6 https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2023-33196 – Craft CMS stored XSS in review volume
https://notcve.org/view.php?id=CVE-2023-33196
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7. • https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7 https://github.com/craftcms/cms/releases/tag/4.4.7 https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2023-33197 – Craft CMS stored XSS in indexedVolumes
https://notcve.org/view.php?id=CVE-2023-33197
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. • https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766 https://github.com/craftcms/cms/releases/tag/4.4.6 https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2023-2817
https://notcve.org/view.php?id=CVE-2023-2817
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. • https://github.com/craftcms/cms/commit/7655e1009ba6cdbfb230e6bb138b775b69fc7bcb https://www.tenable.com/security/research/tra-2023-20%2C • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •