CVE-2023-23927
MEDIUMCraft CMS < 4.3.7 - Stored Cross-Site Scripting in Quick Post Widget
Title source: llmDescription
Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/craftcms/cms/security/advisories/GHSA-qcrj-6ffc-v7hq
Release Notes x_refsource_misc
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#437---2023-02-03
Exploit, Third Party Advisory x_refsource_misc
https://user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4
Scores
CVSS v3
6.1
EPSS
0.0080
EPSS Percentile
52.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
craftcms/cms
4.0.0-RC1 - 4.3.7Packagist
craftcms/craft_cms
< 4.3.7
Published
Mar 03, 2023
Tracked Since
Feb 18, 2026