GHSA-6qjx-787v-6pxr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6qjx-787v-6pxr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-6qjx-787v-6pxr/GHSA-6qjx-787v-6pxr.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-6qjx-787v-6pxr
- Aliases
- Published
- 2023-05-26T13:56:26Z
- Modified
- 2023-11-08T05:24:59.479466Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- Craft CMS stored XSS in indexedVolumes
- Details
-
Summary
XSS can be triggered via the Update Asset Index utility
PoC
- Access setting tab
- Create new assets
- In assets name inject payload: "<script>alert(26)</script>
- Click Utilities tab
- Choose all volumes, or volume trigger xss
- Click Update asset indexes.
XSS will be triggered
Json response volumes name makes triggers the payload
"session":{"id":1,"indexedVolumes":{"1":"\"<script>alert(26)</script>"},It’s run on every POST request in the utility.
Resolved in https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766
- Database specific
{ "nvd_published_at": "2023-05-26T20:15:48Z", "cwe_ids": [ "CWE-79", "CWE-80" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-05-26T13:56:26Z" }- References
Affected packages
Packagist / craftcms/cms
Package
- Name
- craftcms/cms
- Purl
- pkg:composer/craftcms/cms
Affected versions
4.*
4.0.0-RC1
4.0.0-RC2
4.0.0-RC3
4.0.0
4.0.0.1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.5.1
4.0.5.2
4.0.6
4.1.0
4.1.0.1
4.1.0.2
4.1.1
4.1.2
4.1.3
4.1.4
4.1.4.1
4.2.0
4.2.0.1
4.2.0.2
4.2.1
4.2.1.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.5.1
4.2.5.2
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.2
4.3.2.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.6.1
4.3.7
4.3.7.1
4.3.8
4.3.8.1
4.3.8.2
4.3.9
4.3.10
4.3.11
4.4.0-beta.1
4.4.0-beta.2
4.4.0-beta.3
4.4.0-beta.4
4.4.0-beta.5
4.4.0-beta.6
4.4.0-beta.7
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5