GHSA-6qjf-7g3j-qx25
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6qjf-7g3j-qx25
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-6qjf-7g3j-qx25/GHSA-6qjf-7g3j-qx25.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6qjf-7g3j-qx25
- Aliases
- Published
- 2023-09-19T00:30:13Z
- Modified
- 2024-02-16T08:14:28.212711Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Neos CMS Cross Site Scripting vulnerability
- Details
-
Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file uploaded to the
neos/management/mediacomponent. To make use of this attack vector, the attacker must either be able to upload a maliciously crafted file or coerce someone with the needed access to upload said file to Neos. Even if such a file is uploaded and subsequently delivered, it is possible to use CSP to protect against attacks being executed from such a file. - Database specific
{ "nvd_published_at": "2023-09-18T22:15:45Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2023-09-21T17:09:45Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-37611
- https://github.com/neos/neos-development-collection/issues/4833
- https://github.com/neos/neos-development-collection/pull/4812
- https://github.com/neos/neos-development-collection/commit/4ac0df04d2e44e164e95887b466075dde3f04045
- https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
- https://digi.ninja/blog/svg_xss.php
- https://github.com/neos/neos-development-collection
- https://github.com/neos/neos-ui/releases/tag/8.3.4
- https://rodelllemit.medium.com/stored-xss-in-neo-cms-8-3-3-9bd1cb973c5b
Affected packages
Packagist / neos/media-browser
Package
- Name
- neos/media-browser
- Purl
- pkg:composer/neos/media-browser
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.3.19
Affected versions
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.19
3.0.20
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10
3.2.11
3.2.12
3.2.13
3.2.14
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.3.8
3.3.9
3.3.10
3.3.11
3.3.12
3.3.13
3.3.14
3.3.15
3.3.16
3.3.17
3.3.18
3.3.19
3.3.20
3.3.21
3.3.22
3.3.23
3.3.24
3.3.25
3.3.26
3.3.27
3.3.28
3.3.29
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.0.11
4.0.12
4.0.13
4.0.14
4.0.15
4.0.16
4.0.17
4.0.18
4.0.19
4.0.20
4.0.21
4.0.22
4.0.23
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.1.9
4.1.10
4.1.11
4.1.12
4.1.13
4.1.14
4.1.15
4.1.16
4.1.17
4.1.18
4.1.19
4.1.20
4.1.21
4.1.22
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9
4.2.10
4.2.11
4.2.12
4.2.13
4.2.14
4.2.15
4.2.16
4.2.17
4.2.18
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.3.9
4.3.10
4.3.11
4.3.12
4.3.13
4.3.14
4.3.15
4.3.16
4.3.17
4.3.18
4.3.19
5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16
5.0.17
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.1.13
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.13
5.3.14
7.*
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.0.6
7.0.7
7.0.8
7.0.9
7.0.10
7.0.11
7.0.12
7.0.13
7.1.0
7.1.1
7.1.2
7.1.3
7.1.4
7.1.5
7.1.6
7.1.7
7.1.8
7.1.9
7.1.10
7.1.11
7.2.0
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.2.6
7.2.7
7.2.8
7.2.9
7.2.10
7.3.0
7.3.1
7.3.2
7.3.3
7.3.4
7.3.5
7.3.6
7.3.7
7.3.8
7.3.9
7.3.10
7.3.11
7.3.12
7.3.13
7.3.14
7.3.15
7.3.16
7.3.17
7.3.18
Packagist / neos/media-browser
Package
- Name
- neos/media-browser
- Purl
- pkg:composer/neos/media-browser
Packagist / neos/media-browser
Package
- Name
- neos/media-browser
- Purl
- pkg:composer/neos/media-browser
Packagist / neos/media-browser
Package
- Name
- neos/media-browser
- Purl
- pkg:composer/neos/media-browser
Packagist / neos/media-browser
Package
- Name
- neos/media-browser
- Purl
- pkg:composer/neos/media-browser