Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-31144: Merge branch 'v3' of https://github.com/craftcms/cms into develop · craftcms/cms@52bd161

Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4.

CVE
Open in Source
#xss#js#git

Expand Up

@@ -310,13 +310,13 @@ public function getSettingsHtml(): ?string

$view->registerAssetBundle(TimepickerAsset::class);

$view->registerAssetBundle(TableSettingsAsset::class);

$view->registerJs('new Craft.TableFieldSettings(' .

Json::encode($view->namespaceInputName(‘columns’), JSON_UNESCAPED_UNICODE) . ', ' .

Json::encode($view->namespaceInputName(‘defaults’), JSON_UNESCAPED_UNICODE) . ', ' .

Json::encode($this->columns, JSON_UNESCAPED_UNICODE) . ', ' .

Json::encode($this->defaults ?? [], JSON_UNESCAPED_UNICODE) . ', ' .

Json::encode($columnSettings, JSON_UNESCAPED_UNICODE) . ', ' .

Json::encode($dropdownSettingsHtml, JSON_UNESCAPED_UNICODE) . ', ' .

Json::encode($dropdownSettingsCols, JSON_UNESCAPED_UNICODE) .

Json::encode($view->namespaceInputName(‘columns’)) . ', ' .

Json::encode($view->namespaceInputName(‘defaults’)) . ', ' .

Json::encode($this->columns) . ', ' .

Json::encode($this->defaults ?? []) . ', ' .

Json::encode($columnSettings) . ', ' .

Json::encode($dropdownSettingsHtml) . ', ' .

Json::encode($dropdownSettingsCols) .

');’);

$columnsField = $view->renderTemplate('_components/fieldtypes/Table/columntable.twig’, [

Expand Down

Related news

New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks

Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw. The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites. The plugin, which is available both as a free and pro

GHSA-j4mx-98hw-6rv6: craftcms/cms vulnerable to cross site scripting in RSS feed widget

A malformed title in the feed widget of craftcms/cms can deliver an XSS payload. This has been resolved in [this commit](https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE