GHSA-qpgm-gjgf-8c2x

Source

https://github.com/advisories/GHSA-qpgm-gjgf-8c2x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-qpgm-gjgf-8c2x/GHSA-qpgm-gjgf-8c2x.json

Aliases

CVE-2023-33195

Published

2023-05-26T13:55:00Z

Modified

2024-02-16T08:10:53.670846Z

Details

Summary

A malformed RSS feed can deliver an XSS payload

PoC

Create an RSS widget and add the domain https://blog.whitebear.vn/file/rss-xss2.rss The XSS payload will be triggered by the title in tag <item>

Resolved in https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f

References

Affected packages

Packagist / craftcms/cms

Package

Name: craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.3.0

Fixed

4.4.6

Affected versions

4.*

4.3.0

4.3.1

4.3.2

4.3.2.1

4.3.3

4.3.4

4.3.5

4.3.6

4.3.6.1

4.3.7

4.3.7.1

4.3.8

4.3.8.1

4.3.8.2

4.3.9

4.3.10

4.3.11

4.4.0-beta.1

4.4.0-beta.2

4.4.0-beta.3

4.4.0-beta.4

4.4.0-beta.5

4.4.0-beta.6

4.4.0-beta.7

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

Database specific

{
    "last_known_affected_version_range": "<= 4.4.5"
}