Full Disclosure mailing list archives
[KIS-2023-09] CrafterCMS <= 4.0.2 Multiple Reflected Cross-Site Scripting Vulnerabilities
From: Egidio Romano <research () karmainsecurity com>
Date: Wed, 23 Aug 2023 14:14:05 +0200
---------------------------------------------------------------------------CrafterCMS <= 4.0.2 Multiple Reflected Cross-Site Scripting Vulnerabilities
--------------------------------------------------------------------------- [-] Software Link: https://craftercms.org [-] Affected Versions: Version 4.0.2 and prior versions. Version 3.1.27 and prior versions. [-] Vulnerabilities Description:There are multiple Reflected Cross-Site Scripting vulnerabilities affecting CrafterCMS. The vulnerabilities exist in every API endpoint that reflect some input parameter and
do produce XML responses. Following are some examples:• /api/1/site/url/transform - url and transformerName parameters are affected
• /api/1/site/content_store/children - url parameter is affected • /api/1/site/content_store/item - url parameter is affected [-] Solution: Upgrade to version 4.0.3, 3.1.28, or later. [-] Disclosure Timeline: [22/11/2022] - Vendor notified [24/03/2023] - Fixed versions released [03/08/2023] - CVE number assigned [23/08/2023] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-4136 to these vulnerabilities. [-] Credits:Vulnerabilities discovered by Egidio Romano, working with IMQ Minded Security.
[-] Original Advisory: https://karmainsecurity.com/KIS-2023-09 [-] Other References: https://docs.craftercms.org/en/4.1/security/advisory.html#cv-2023080301 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- [KIS-2023-09] CrafterCMS <= 4.0.2 Multiple Reflected Cross-Site Scripting Vulnerabilities Egidio Romano (Aug 23)