CVE-2023-33194: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 26, 2023 (updated June 2, 2023)

Craft is a CMS for creating custom digital experiences on the web. The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.

References

github.com/advisories/GHSA-3wxg-w96j-8hq9
github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888
github.com/craftcms/cms/releases/tag/4.4.6
github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9
nvd.nist.gov/vuln/detail/CVE-2023-33194

Code Behaviors & Features

Detect and mitigate CVE-2023-33194 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →