CrafterCMS versions 4.0.2 and below suffer from multiple cross site scripting vulnerabilities.
advisories | CVE-2023-4136
---------------------------------------------------------------------------
CrafterCMS <= 4.0.2 Multiple Reflected Cross-Site Scripting
Vulnerabilities
---------------------------------------------------------------------------
[-] Software Link:
https://craftercms.org
[-] Affected Versions:
Version 4.0.2 and prior versions.
Version 3.1.27 and prior versions.
[-] Vulnerabilities Description:
There are multiple Reflected Cross-Site Scripting vulnerabilities
affecting CrafterCMS.
The vulnerabilities exist in every API endpoint that reflect some input
parameter and
do produce XML responses. Following are some examples:
• /api/1/site/url/transform - url and transformerName parameters are
affected
• /api/1/site/content_store/children - url parameter is affected
• /api/1/site/content_store/item - url parameter is affected
[-] Solution:
Upgrade to version 4.0.3, 3.1.28, or later.
[-] Disclosure Timeline:
[22/11/2022] - Vendor notified
[24/03/2023] - Fixed versions released
[03/08/2023] - CVE number assigned
[23/08/2023] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2023-4136 to these vulnerabilities.
[-] Credits:
Vulnerabilities discovered by Egidio Romano, working with IMQ Minded
Security.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2023-09
[-] Other References:
https://docs.craftercms.org/en/4.1/security/advisory.html#cv-2023080301