GHSA-7x94-jx75-3gh6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7x94-jx75-3gh6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-7x94-jx75-3gh6/GHSA-7x94-jx75-3gh6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7x94-jx75-3gh6
- Aliases
- Published
- 2023-05-26T18:30:21Z
- Modified
- 2024-02-16T08:18:12.545746Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Stored cross site scripting in Craft CMS
- Details
-
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. This issue was patched in version 4.4.12.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2023-05-26T21:09:08Z", "nvd_published_at": "2023-05-26T17:15:17Z", "severity": "MODERATE" }- References
Affected packages
Packagist / craftcms/cms
Package
- Name
- craftcms/cms
- Purl
- pkg:composer/craftcms/cms
Affected versions
4.*
4.0.0-RC1
4.0.0-RC2
4.0.0-RC3
4.0.0
4.0.0.1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.5.1
4.0.5.2
4.0.6
4.1.0
4.1.0.1
4.1.0.2
4.1.1
4.1.2
4.1.3
4.1.4
4.1.4.1
4.2.0
4.2.0.1
4.2.0.2
4.2.1
4.2.1.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.5.1
4.2.5.2
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.2
4.3.2.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.6.1
4.3.7
4.3.7.1
4.3.8
4.3.8.1
4.3.8.2
4.3.9
4.3.10
4.3.11
4.4.0-beta.1
4.4.0-beta.2
4.4.0-beta.3
4.4.0-beta.4
4.4.0-beta.5
4.4.0-beta.6
4.4.0-beta.7
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.6.1
4.4.7
4.4.7.1
4.4.8
4.4.9
4.4.10
4.4.10.1
4.4.11