Headline
GHSA-qpgm-gjgf-8c2x: Craft CMS XSS in RSS widget feed
Summary
A malformed RSS feed can deliver an XSS payload
PoC
Create an RSS widget and add the domain https://blog.whitebear.vn/file/rss-xss2.rss
The XSS payload will be triggered by the title in tag <item>
Resolved in https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f
Craft CMS XSS in RSS widget feed
Low severity GitHub Reviewed Published May 25, 2023 in craftcms/cms • Updated May 26, 2023
Related news
CVE-2023-33195: XSS in RSS widget feed
Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.