Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-33197: Release 4.4.6 · craftcms/cms

Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.

CVE
Open in Source
#xss#vulnerability#web#windows#git#rce#perl
  • Content tab menus now reveal when a tab contains validation errors, and invalid tabs’ menu options get the same warning icon treatment as inline tabs do. (#12971)
  • Selectize menus now expand upwards when there’s not ample space below them. (#12976)
  • Element index bulk action spinners are now centered on the viewport. (#12972)
  • All control panel errors are new presented via error notifications rather than browser alerts. (#13024)
  • The up command now sets its default --isolated option value to true, and no longer creates a redundant mutex lock.
  • Added craft\base\Element::EVENT_BEFORE_DEFINE_URL. (#13018)
  • Added craft\utilities\AssetIndexes::volumes().
  • craft\controllers\AssetIndexesController::actionStartIndexing() now cross-references the selected volumes with those allowed by craft\utilities\AssetIndexes::EVENT_LIST_VOLUMES event handlers. (#13039, #12819)
  • Fixed a bug where Assets fields weren’t respecting their View Mode setting when viewing entry revisions. (#12948)
  • Fixed a bug where asset pagination was broken when there was more than 100 subfolders. (#12969)
  • Fixed a bug where entry index pages’ “Revision Notes” and “Last Edited By” columns weren’t getting populated for disabled entries. (#12981)
  • Fixed a bug where assets were getting relocated to the root volume folder when renamed. (#12995)
  • Fixed a bug where it wasn’t possible to preview entries on another domain when the system was offline. (#12979)
  • Fixed a bug where users were able to access volumes they didn’t have permission to view via Assets fields. (#13006)
  • Fixed a bug where zero-width spaces, invisible plus signs, and byte order marks weren’t getting stripped from sanitized asset filenames. (#13022)
  • Fixed a bug where the Plugin Store wasn’t accurately reporting installed plugins’ license statuses. (#12986)
  • Fixed a bug where the Plugin Store wasn’t handling 403 API responses for cart operations properly, once a cart had been handed off to Craft Console and assigned to an organization. (#12916)
  • Fixed a bug where craft\helpers\FileHelper::absolutePath() wasn’t treating Windows file paths beginning drive letters as absolute. (craftcms/generator#16)
  • Fixed a bug where it wasn’t possible to sort Categories fields with “Maintain hierarchy” disabled. (#10560)
  • Fixed a bug where selectize inputs didn’t have a minimum width. (#12950)
  • Fixed a bug where the wrong tab would appear to be initially selected after an autosave, if the selected tab had changed during the autosave. (#12960)
  • Fixed a bug where it wasn’t possible to add a Dropdown field without a blank option to a global set. (#12965)
  • Fixed a bug where automatically-added Matrix blocks (per the field’s Min Blocks setting) were getting discarded if no changes were made to them. (#12973)
  • Fixed an error that could occur when installing Craft with an existing project config, if any image transforms were defined that didn’t specify the upscale property.
  • Fixed a bug where nested folders in asset search results weren’t showing their relative path.
  • Fixed a bug where admin tables’ default delete icon title text wasn’t getting translated. (#13030)
  • Fixed a bug where it was possible to save a Local filesystem pointed at a system directory (e.g. the templates/ or vendor/ folders), which mitigates a potential RCE vulnerability.
  • Fixed XSS vulnerabilities.

Related news

GHSA-6qjx-787v-6pxr: Craft CMS stored XSS in indexedVolumes

### Summary XSS can be triggered via the Update Asset Index utility ### PoC 1. Access setting tab 2. Create new assets 3. In assets name inject payload: "<script>alert(26)</script> 4. Click Utilities tab 5. Choose all volumes, or volume trigger xss 7. Click Update asset indexes. XSS will be triggered Json response volumes name makes triggers the payload "session":{"id":1,"indexedVolumes":{"1":"\"<script>alert(26)</script>"}, It’s run on every POST request in the utility. Resolved in https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE