GHSA-qpgm-gjgf-8c2x

Source

https://github.com/advisories/GHSA-qpgm-gjgf-8c2x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-qpgm-gjgf-8c2x/GHSA-qpgm-gjgf-8c2x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qpgm-gjgf-8c2x

Aliases

CVE-2023-33195

Published

2023-05-26T13:55:00Z

Modified

2024-02-16T08:10:53.670846Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Craft CMS XSS in RSS widget feed

Details

Summary

A malformed RSS feed can deliver an XSS payload

PoC

Create an RSS widget and add the domain https://blog.whitebear.vn/file/rss-xss2.rss The XSS payload will be triggered by the title in tag <item>

Resolved in https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f

Database specific

{
    "nvd_published_at": "2023-05-27T04:15:25Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-26T13:55:00Z"
}

References

Affected packages

Packagist / craftcms/cms

Package

Name: craftcms/cms
Purl: pkg:composer/craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.3.0

Fixed

4.4.6

Affected versions

4.*

4.3.0

4.3.1

4.3.2

4.3.2.1

4.3.3

4.3.4

4.3.5

4.3.6

4.3.6.1

4.3.7

4.3.7.1

4.3.8

4.3.8.1

4.3.8.2

4.3.9

4.3.10

4.3.11

4.4.0-beta.1

4.4.0-beta.2

4.4.0-beta.3

4.4.0-beta.4

4.4.0-beta.5

4.4.0-beta.6

4.4.0-beta.7

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

Database specific

{
    "last_known_affected_version_range": "<= 4.4.5"
}