CVE-2023-37611: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
(updated )
Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file to the neos/management/media component.
References
- cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
- digi.ninja/blog/svg_xss.php
- github.com/advisories/GHSA-6qjf-7g3j-qx25
- github.com/neos/neos-development-collection/commit/4ac0df04d2e44e164e95887b466075dde3f04045
- github.com/neos/neos-development-collection/issues/4833
- github.com/neos/neos-development-collection/pull/4812
- github.com/neos/neos-ui/releases/tag/8.3.4
- nvd.nist.gov/vuln/detail/CVE-2023-37611
- rodelllemit.medium.com/stored-xss-in-neo-cms-8-3-3-9bd1cb973c5b
Code Behaviors & Features
Detect and mitigate CVE-2023-37611 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →