First published: Fri May 26 2023(Updated: )
### Summary The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. ### Details Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. ### PoC 1. Login at admin 2. Go to setting 3. Create a Section 4. On Entry page, click Edit label 5. Inject the XSS payload into the label and save 6. On the admin dashboard choose new widget -> Quick Post 7. In Quick Post, click save with blank slug; The XSS will be executed "errors":{"title":["<script>alert('nono')</script> cannot be blank."],"slug":["Slug cannot be blank."] Fixed in https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Craftcms Craft Cms | >=3.0.0<3.8.6 | |
Craftcms Craft Cms | >=4.0.1<4.4.6 | |
Craftercms Craftercms | =4.0.0 | |
Craftercms Craftercms | =4.0.0-rc1 | |
Craftercms Craftercms | =4.0.0-rc2 | |
Craftercms Craftercms | =4.0.0-rc3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this Craft CMS vulnerability is CVE-2023-33194.
The severity of CVE-2023-33194 is medium.
Craft CMS versions from 3.0.0 to 3.8.5 and from 4.0.0-RC1 to 4.4.6 are affected.
To fix CVE-2023-33194, you should update Craft CMS to version 3.8.6 or higher.
Yes, you can find more information and references for CVE-2023-33194 at the following links: [GitHub Commit](https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888), [GitHub Security Advisory](https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9), [Craft CMS Releases](https://github.com/craftcms/cms/releases/tag/4.4.6).