GHSA-6j87-m5qx-9fqp: Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type
A stored Cross-site Scripting (XSS) vulnerability exists in the editableTable.twig component when using the Row Heading column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.
References
- craftcms.com/knowledge-base/securing-craft
- github.com/advisories/GHSA-6j87-m5qx-9fqp
- github.com/craftcms/cms
- github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a
- github.com/craftcms/cms/releases/tag/4.16.19
- github.com/craftcms/cms/releases/tag/5.8.23
- github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp
Code Behaviors & Features
Detect and mitigate GHSA-6j87-m5qx-9fqp with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →