CVE-2023-33195: XSS in RSS widget feed

Skip to content

Sign up

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

Explore

*   All features
*   Documentation
*   GitHub Skills
*   Blog

• For

  • Enterprise
  • Teams
  • Startups
  • Education

  By Solution

  • CI/CD & Automation
  • DevOps
  • DevSecOps

  Case Studies

  • Customer Stories
  • Resources

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

Repositories

*   Topics
*   Trending
*   Collections

• Pricing

• In this repository All GitHub

• No suggested jump to results

• In this repository All GitHub

• In this organization All GitHub

• In this repository All GitHub

Sign in

Sign up

craftcms / cms Public

• Notifications
• Fork 613
• Star 3k

• Code
• Issues 357
• Pull requests 57
• Discussions
• Actions
• Security
• Insights

More

Low

angrybrad published GHSA-qpgm-gjgf-8c2x

May 25, 2023

Package

craftcms/cms (Craft CMS)

Affected versions

>= 4.3.0, <= 4.4.5

Patched versions

4.4.6

Description

Summary

A malformed RSS feed can deliver an XSS payload

PoC

Create an RSS widget and add the domain https://blog.whitebear.vn/file/rss-xss2.rss
The XSS payload will be triggered by the title in tag <item>

Resolved in b77cb30

Severity

Low

CVE ID

CVE-2023-33195

Weaknesses

CWE-79

Credits

• WhiteBearVN Reporter