First published: Fri May 26 2023(Updated: )
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively.
Credit: vulnreport@tenable.com vulnreport@tenable.com
Affected Software | Affected Version | How to fix |
---|---|---|
Craftcms Craft Cms | <=4.4.11 | |
composer/craftcms/cms | >=4.0.0-RC1<4.4.12 | 4.4.12 |
composer/craftcms/cms | <4.4.12 | 4.4.12 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-2817 is a post-authentication stored cross-site scripting vulnerability in Craft CMS versions <= 4.4.11.
CVE-2023-2817 has a severity score of 5.4, which is considered medium.
CVE-2023-2817 allows HTML, including script tags, to be injected into field names in categories or entries, triggering the XSS vulnerability when users visit the corresponding pages.
Craft CMS versions up to and including 4.4.11 are affected by CVE-2023-2817.
To mitigate the CVE-2023-2817 vulnerability, update Craft CMS to version 4.4.12 or higher, as this version includes the necessary fix.