Headline
CrafterCMS 4.0.2 Cross Site Scripting
CrafterCMS versions 4.0.2 and below suffer from multiple cross site scripting vulnerabilities.
---------------------------------------------------------------------------CrafterCMS <= 4.0.2 Multiple Reflected Cross-Site Scripting Vulnerabilities---------------------------------------------------------------------------[-] Software Link:https://craftercms.org[-] Affected Versions:Version 4.0.2 and prior versions.Version 3.1.27 and prior versions.[-] Vulnerabilities Description:There are multiple Reflected Cross-Site Scripting vulnerabilities affecting CrafterCMS.The vulnerabilities exist in every API endpoint that reflect some input parameter anddo produce XML responses. Following are some examples:• /api/1/site/url/transform - url and transformerName parameters are affected• /api/1/site/content_store/children - url parameter is affected• /api/1/site/content_store/item - url parameter is affected[-] Solution:Upgrade to version 4.0.3, 3.1.28, or later.[-] Disclosure Timeline:[22/11/2022] - Vendor notified[24/03/2023] - Fixed versions released[03/08/2023] - CVE number assigned[23/08/2023] - Publication of this advisory[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2023-4136 to these vulnerabilities.[-] Credits:Vulnerabilities discovered by Egidio Romano, working with IMQ Minded Security.[-] Original Advisory:https://karmainsecurity.com/KIS-2023-09[-] Other References:https://docs.craftercms.org/en/4.1/security/advisory.html#cv-2023080301
Related news
CVE-2023-4136: Security Advisories — CrafterCMS 4.0.7 documentation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.This issue affects CrafterCMS: from 4.0.0 through 4.0.2, from 3.1.0 through 3.1.27.