First published: Fri May 05 2023(Updated: )
A malformed title in the feed widget of craftcms/cms can deliver an XSS payload. This has been resolved in [this commit](https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442).
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Craftcms Craft Cms | >=3.0.0<=3.8.3 | |
Craftcms Craft Cms | >=4.0.0<=4.4.3 | |
composer/craftcms/cms | >=4.0.0<=4.4.3 | 4.4.4 |
composer/craftcms/cms | >=3.0.0<=3.8.3 | 3.8.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this Craft CMS issue is CVE-2023-31144.
The severity level of CVE-2023-31144 is medium.
CVE-2023-31144 can be exploited by delivering a cross-site scripting payload through a malformed title in the feed widget of Craft CMS.
Versions 3.0.0 to 3.8.3 and versions 4.0.0 to 4.4.3 of Craft CMS are affected by CVE-2023-31144.
To fix CVE-2023-31144, you need to update Craft CMS to version 3.8.4 or 4.4.4.