GHSA-6qjx-787v-6pxr

Source

https://github.com/advisories/GHSA-6qjx-787v-6pxr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-6qjx-787v-6pxr/GHSA-6qjx-787v-6pxr.json

Aliases

CVE-2023-33197

Published

2023-05-26T13:56:26Z

Modified

2024-02-16T08:17:11.383893Z

Details

Summary

XSS can be triggered via the Update Asset Index utility

PoC

Access setting tab
Create new assets
In assets name inject payload: "<script>alert(26)</script>
Click Utilities tab
Choose all volumes, or volume trigger xss
Click Update asset indexes.

XSS will be triggered

Json response volumes name makes triggers the payload

"session":{"id":1,"indexedVolumes":{"1":"\"<script>alert(26)</script>"},

It’s run on every POST request in the utility.

Resolved in https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766

References

Affected packages

Packagist / craftcms/cms

Package

Name: craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0-RC1

Fixed

4.4.6

Affected versions

4.*

4.0.0-RC1

4.0.0-RC2

4.0.0-RC3

4.0.0

4.0.0.1

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.5.1

4.0.5.2

4.0.6

4.1.0

4.1.0.1

4.1.0.2

4.1.1

4.1.2

4.1.3

4.1.4

4.1.4.1

4.2.0

4.2.0.1

4.2.0.2

4.2.1

4.2.1.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.5.1

4.2.5.2

4.2.6

4.2.7

4.2.8

4.3.0

4.3.1

4.3.2

4.3.2.1

4.3.3

4.3.4

4.3.5

4.3.6

4.3.6.1

4.3.7

4.3.7.1

4.3.8

4.3.8.1

4.3.8.2

4.3.9

4.3.10

4.3.11

4.4.0-beta.1

4.4.0-beta.2

4.4.0-beta.3

4.4.0-beta.4

4.4.0-beta.5

4.4.0-beta.6

4.4.0-beta.7

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

Database specific

{
    "last_known_affected_version_range": "<= 4.4.5"
}