GHSA-8jjh-j3c2-cjcv

Suggest an improvement
Source
https://github.com/advisories/GHSA-8jjh-j3c2-cjcv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-8jjh-j3c2-cjcv/GHSA-8jjh-j3c2-cjcv.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-8jjh-j3c2-cjcv
Aliases
  • CVE-2023-48701
Published
2023-11-22T20:55:07Z
Modified
2023-11-22T21:11:42.838234Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H CVSS Calculator
Summary
Cross-site Scripting via uploaded assets
Details

Impact

HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication.

Patches

It has been patched on 3.4.15 and 4.36.0.

Database specific
{
    "nvd_published_at": "2023-11-21T23:15:08Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-22T20:55:07Z"
}
References

Affected packages

Packagist / statamic/cms

Package

Name
statamic/cms
Purl
pkg:composer/statamic/cms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.15

Affected versions

v3.*

v3.0.0-beta.1
v3.0.0-beta.2
v3.0.0-beta.3
v3.0.0-beta.4
v3.0.0-beta.5
v3.0.0-beta.6
v3.0.0-beta.7
v3.0.0-beta.8
v3.0.0-beta.9
v3.0.0-beta.10
v3.0.0-beta.11
v3.0.0-beta.12
v3.0.0-beta.13
v3.0.0-beta.14
v3.0.0-beta.15
v3.0.0-beta.16
v3.0.0-beta.17
v3.0.0-beta.18
v3.0.0-beta.19
v3.0.0-beta.20
v3.0.0-beta.21
v3.0.0-beta.22
v3.0.0-beta.23
v3.0.0-beta.24
v3.0.0-beta.25
v3.0.0-beta.26
v3.0.0-beta.27
v3.0.0-beta.28
v3.0.0-beta.29
v3.0.0-beta.30
v3.0.0-beta.31
v3.0.0-beta.32
v3.0.0-beta.33
v3.0.0-beta.34
v3.0.0-beta.35
v3.0.0-beta.36
v3.0.0-beta.37
v3.0.0-beta.38
v3.0.0-beta.39
v3.0.0-beta.40
v3.0.0-beta.41
v3.0.0-beta.42
v3.0.0-beta.43
v3.0.0-beta.44
v3.0.0-beta.45
v3.0.0-beta.46
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.19
v3.0.20
v3.0.21
v3.0.22
v3.0.23
v3.0.24
v3.0.25
v3.0.26
v3.0.27
v3.0.28
v3.0.29
v3.0.30
v3.0.31
v3.0.32
v3.0.33
v3.0.34
v3.0.35
v3.0.35.1
v3.0.36
v3.0.36.1
v3.0.37
v3.0.38
v3.0.39
v3.0.40
v3.0.41
v3.0.42
v3.0.43
v3.0.44
v3.0.45
v3.0.46
v3.0.47
v3.0.48
v3.0.49
v3.1.0-alpha.1
v3.1.0-alpha.2
v3.1.0-alpha.3
v3.1.0-alpha.4
v3.1.0-beta.1
v3.1.0-beta.2
v3.1.0-beta.3
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.1.19
v3.1.20
v3.1.21
v3.1.22
v3.1.23
v3.1.24
v3.1.25
v3.1.26
v3.1.27
v3.1.28
v3.1.29
v3.1.30
v3.1.31
v3.1.32
v3.1.33
v3.1.34
v3.1.35
v3.2.0-beta.1
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.18
v3.2.19
v3.2.20
v3.2.21
v3.2.22
v3.2.23
v3.2.24
v3.2.25
v3.2.26
v3.2.27
v3.2.28
v3.2.29
v3.2.30
v3.2.31
v3.2.32
v3.2.33
v3.2.34
v3.2.35
v3.2.36
v3.2.37
v3.2.38
v3.2.39
v3.3.0-beta.1
v3.3.0-beta.2
v3.3.0-beta.3
v3.3.0-beta.4
v3.3.0-beta.5
v3.3.0-beta.6
v3.3.0-beta.7
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.3.10
v3.3.11
v3.3.12
v3.3.13
v3.3.14
v3.3.15
v3.3.16
v3.3.17
v3.3.18
v3.3.19
v3.3.20
v3.3.21
v3.3.22
v3.3.23
v3.3.24
v3.3.25
v3.3.26
v3.3.27
v3.3.28
v3.3.29
v3.3.30
v3.3.31
v3.3.32
v3.3.33
v3.3.34
v3.3.35
v3.3.36
v3.3.37
v3.3.38
v3.3.39
v3.3.40
v3.3.41
v3.3.42
v3.3.43
v3.3.44
v3.3.45
v3.3.46
v3.3.47
v3.3.48
v3.3.49
v3.3.50
v3.3.51
v3.3.52
v3.3.53
v3.3.54
v3.3.55
v3.3.56
v3.3.57
v3.3.58
v3.3.59
v3.3.60
v3.3.61
v3.3.62
v3.3.63
v3.3.64
v3.3.65
v3.3.66
v3.3.67
v3.3.68
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9
v3.4.10
v3.4.11
v3.4.12
v3.4.13
v3.4.14

Packagist / statamic/cms

Package

Name
statamic/cms
Purl
pkg:composer/statamic/cms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.36.0

Affected versions

v4.*

v4.0.0
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.2.0
v4.3.0
v4.4.0
v4.5.0
v4.6.0
v4.7.0
v4.8.0
v4.9.0
v4.9.1
v4.9.2
v4.10.0
v4.10.1
v4.10.2
v4.11.0
v4.12.0
v4.13.0
v4.13.1
v4.13.2
v4.14.0
v4.15.0
v4.16.0
v4.17.0
v4.18.0
v4.19.0
v4.20.0
v4.21.0
v4.22.0
v4.23.0
v4.23.1
v4.23.2
v4.24.0
v4.25.0
v4.26.0
v4.26.1
v4.27.0
v4.28.0
v4.29.0
v4.30.0
v4.31.0
v4.32.0
v4.33.0
v4.34.0
v4.35.0