CVE-2023-31144

Craft CMS vulnerable to cross site scripting in RSS feed widget

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4.

*Credits: N/A

CVSS Scores

NISTv3.1 6.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-04-24 CVE Reserved
2023-05-09 CVE Published
2024-06-10 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442	2023-05-16
https://github.com/craftcms/cms/security/advisories/GHSA-j4mx-98hw-6rv6	2023-05-16

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Craftcms Search vendor "Craftcms"		Craft Cms Search vendor "Craftcms" for product "Craft Cms"				>= 3.0.0 <= 3.8.3 Search vendor "Craftcms" for product "Craft Cms" and version " >= 3.0.0 <= 3.8.3"		-		Affected
Craftcms Search vendor "Craftcms"		Craft Cms Search vendor "Craftcms" for product "Craft Cms"				>= 4.0.0 <= 4.4.3 Search vendor "Craftcms" for product "Craft Cms" and version " >= 4.0.0 <= 4.4.3"		-		Affected