GHSA-qcrj-6ffc-v7hq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qcrj-6ffc-v7hq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-qcrj-6ffc-v7hq/GHSA-qcrj-6ffc-v7hq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qcrj-6ffc-v7hq
- Aliases
- Published
- 2023-03-03T22:45:50Z
- Modified
- 2023-11-08T04:11:42.842702Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Craft CMS Stored Cross-site Scripting Injection Vulnerability
- Details
-
Summary
When you insert a payload inside a label name or instruction of an entry type, an XSS happens in the quick post widget on the admin dashboard.
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Impact
Tested with the free version of Craft CMS 4.3.6.1
- Database specific
{ "nvd_published_at": "2023-03-03T22:15:00Z", "github_reviewed_at": "2023-03-03T22:45:50Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/craftcms/cms/security/advisories/GHSA-qcrj-6ffc-v7hq
- https://nvd.nist.gov/vuln/detail/CVE-2023-23927
- https://github.com/craftcms/cms
- https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#437---2023-02-03
- https://user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4
Affected packages
Packagist / craftcms/cms
Package
- Name
- craftcms/cms
- Purl
- pkg:composer/craftcms/cms
Affected versions
4.*
4.0.0-RC1
4.0.0-RC2
4.0.0-RC3
4.0.0
4.0.0.1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.5.1
4.0.5.2
4.0.6
4.1.0
4.1.0.1
4.1.0.2
4.1.1
4.1.2
4.1.3
4.1.4
4.1.4.1
4.2.0
4.2.0.1
4.2.0.2
4.2.1
4.2.1.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.5.1
4.2.5.2
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.2
4.3.2.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.6.1
Packagist / craftcms/cms
Package
- Name
- craftcms/cms
- Purl
- pkg:composer/craftcms/cms
Affected versions
3.*
3.7.24
3.7.25
3.7.25.1
3.7.26
3.7.27
3.7.27.1
3.7.27.2
3.7.28
3.7.29
3.7.30
3.7.30.1
3.7.31
3.7.32
3.7.33
3.7.34
3.7.35
3.7.36
3.7.37
3.7.38
3.7.39
3.7.40
3.7.40.1
3.7.41
3.7.42
3.7.43
3.7.44
3.7.45
3.7.45.1
3.7.45.2
3.7.46
3.7.47
3.7.47.1
3.7.48
3.7.49
3.7.50
3.7.51
3.7.52
3.7.53
3.7.53.1
3.7.54
3.7.55
3.7.55.1
3.7.55.2
3.7.55.3
3.7.56
3.7.57
3.7.58
3.7.59
3.7.60
3.7.61
3.7.62
3.7.63
3.7.63.1