First published: Fri May 26 2023(Updated: )
### Summary XSS can be triggered by review volumes ### PoC 1. Access setting tab 2. Create new assets 3. In assets name inject payload: "<script>alert(1337)</script> 4. Click Utilities tab 5. Choose all volumes, or volume trigger xss 6. Click Update asset indexes. 7. Wait to assets update success. 8. Progress complete. 9. Click on review button will trigger XSS ### Root cause Function: index.php?p=admin/actions/asset-indexes/process-indexing-session&v=1680710595770 After loading completed, progess will load: "skippedEntries" and "missingEntries" These parameters is not yet filtered, I just tried "skippedEntries" but I think it will be work with "missingEntries" ### My reponse: { "session": { "id": 10, "indexedVolumes": { "6": "\"<script>alert(1337)</script>" }, "totalEntries": 2235, "processedEntries": 2235, "cacheRemoteImages": true, "listEmptyFolders": false, "isCli": false, "actionRequired": true, "dateCreated": "Apr 5, 2023, 9:03:16 AM", "skippedEntries": [ "\"<script>alert(1337)</script>/assetpreviews/Image.php", "\"<script>alert(1337)</script>/assetpreviews/Pdf.php" ], "missingEntries": { "folders": [], "files": [] }, "processIfRootEmpty": false }, "skipDialog": false } Resolved in https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Craftcms Craft Cms | =4.0.0-rc3 | |
Craftcms Craft Cms | =4.0.0-rc1 | |
Craftcms Craft Cms | =4.0.0-rc2 | |
Craftcms Craft Cms | >=4.0.1<4.4.7 | |
Craftcms Craft Cms | =4.0.0 | |
composer/craftcms/cms | >=4.0.0-RC1<=4.4.6 | 4.4.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-33196 refers to a vulnerability in Craft CMS that allows for cross-site scripting (XSS) attacks to be triggered.
CVE-2023-33196 is rated with a severity score of 5.5, which is considered medium.
Craft CMS versions 4.0.0-RC1, 4.0.0-RC2, 4.0.0-RC3, and 4.0.0 to 4.4.6 are affected by CVE-2023-33196.
The vulnerability in CVE-2023-33196 can be exploited by injecting malicious scripts into asset names and triggering the XSS attack through the update of asset indexes.
To mitigate the vulnerability in CVE-2023-33196, it is recommended to update Craft CMS to version 4.4.7 or apply the provided fix from the official Craft CMS repository.