cvelistv5 - CVE-2023-33196

CVE-2023-33196

Vulnerability from cvelistv5

Published

2023-05-26 20:22

Modified

2024-08-02 15:39

Severity ?

5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Summary

Craft CMS stored XSS in review volume

References

URL	Tags
security-advisories@github.com	https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7	Patch
security-advisories@github.com	https://github.com/craftcms/cms/releases/tag/4.4.7	Release Notes
security-advisories@github.com	https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5	Exploit, Third Party Advisory

Impacted products

▼	Vendor	Product
	craftcms	cms

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:39:35.663Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5"
          },
          {
            "name": "https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7"
          },
          {
            "name": "https://github.com/craftcms/cms/releases/tag/4.4.7",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/craftcms/cms/releases/tag/4.4.7"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "craftcms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0-RC1, \u003c= 4.4.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-80",
              "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-26T20:22:23.637Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5"
        },
        {
          "name": "https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7"
        },
        {
          "name": "https://github.com/craftcms/cms/releases/tag/4.4.7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/releases/tag/4.4.7"
        }
      ],
      "source": {
        "advisory": "GHSA-cjmm-x9x9-m2w5",
        "discovery": "UNKNOWN"
      },
      "title": "Craft CMS stored XSS in review volume"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-33196",
    "datePublished": "2023-05-26T20:22:23.637Z",
    "dateReserved": "2023-05-17T22:25:50.699Z",
    "dateUpdated": "2024-08-02T15:39:35.663Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-33196\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-05-26T21:15:21.030\",\"lastModified\":\"2023-06-02T18:35:25.103\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.\\n\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.1,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-80\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.1\",\"versionEndExcluding\":\"4.4.7\",\"matchCriteriaId\":\"A1DBA098-57EC-416A-B48A-BEBF8014BADD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"610F6DE9-720F-45B3-81D5-18E7F6B090FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC2F40FC-7C27-456A-B16D-679410D1D5CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"FBAA8227-04F8-404C-907B-B0162B325F5A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"21B28E2C-327A-4CE6-ACAD-97E459712A55\"}]}]}],\"references\":[{\"url\":\"https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/craftcms/cms/releases/tag/4.4.7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

gsd-2023-33196

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.

Aliases

CVE-2023-33196

Aliases

CVE-2023-33196

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-33196",
    "id": "GSD-2023-33196"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-33196"
      ],
      "details": "Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.\n\n",
      "id": "GSD-2023-33196",
      "modified": "2023-12-13T01:20:37.521700Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-33196",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "cms",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 4.0.0-RC1, \u003c= 4.4.6"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "craftcms"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.\n\n"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-80",
                "lang": "eng",
                "value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5",
            "refsource": "MISC",
            "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5"
          },
          {
            "name": "https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7",
            "refsource": "MISC",
            "url": "https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7"
          },
          {
            "name": "https://github.com/craftcms/cms/releases/tag/4.4.7",
            "refsource": "MISC",
            "url": "https://github.com/craftcms/cms/releases/tag/4.4.7"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-cjmm-x9x9-m2w5",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=4.0.0-RC1,\u003c=4.4.6",
          "affected_versions": "All versions starting from 4.0.0-rc1 up to 4.4.6",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2023-06-02",
          "description": "Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.\n\n",
          "fixed_versions": [
            "4.4.7"
          ],
          "identifier": "CVE-2023-33196",
          "identifiers": [
            "CVE-2023-33196",
            "GHSA-cjmm-x9x9-m2w5"
          ],
          "not_impacted": "All versions before 4.0.0-rc1, all versions after 4.4.6",
          "package_slug": "packagist/craftcms/cms",
          "pubdate": "2023-05-26",
          "solution": "Upgrade to version 4.4.7 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5",
            "https://github.com/craftcms/cms/releases/tag/4.4.7",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-33196",
            "https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7",
            "https://github.com/advisories/GHSA-cjmm-x9x9-m2w5"
          ],
          "uuid": "ecd99bd7-6172-4864-a2b0-8de29bcc7e43"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.4.7",
                "versionStartIncluding": "4.0.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-33196"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.\n\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5"
            },
            {
              "name": "https://github.com/craftcms/cms/releases/tag/4.4.7",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/craftcms/cms/releases/tag/4.4.7"
            },
            {
              "name": "https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2023-06-02T18:35Z",
      "publishedDate": "2023-05-26T21:15Z"
    }
  }
}

ghsa-cjmm-x9x9-m2w5

Vulnerability from github

Published

2023-05-26 13:55

Modified

2023-05-26 21:50

Severity ?

5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Summary

Craft CMS stored XSS in review volume

Details

Summary

XSS can be triggered by review volumes

PoC

1. Access setting tab
2. Create new assets
3. In assets name inject payload: "<script>alert(1337)</script>
4. Click Utilities tab
5. Choose all volumes, or volume trigger xss
6. Click Update asset indexes.
7. Wait to assets update success.
8. Progress complete.
9. Click on review button will trigger XSS

Root cause

Function: index.php?p=admin/actions/asset-indexes/process-indexing-session&v=1680710595770 After loading completed, progess will load: "skippedEntries" and "missingEntries" These parameters is not yet filtered, I just tried "skippedEntries" but I think it will be work with "missingEntries"

My reponse:

{ "session": { "id": 10, "indexedVolumes": { "6": "\"" }, "totalEntries": 2235, "processedEntries": 2235, "cacheRemoteImages": true, "listEmptyFolders": false, "isCli": false, "actionRequired": true, "dateCreated": "Apr 5, 2023, 9:03:16 AM", "skippedEntries": [ "\"/assetpreviews/Image.php", "\"/assetpreviews/Pdf.php" ], "missingEntries": { "folders": [], "files": [] }, "processIfRootEmpty": false }, "skipDialog": false }

Resolved in https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-33196"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-26T13:55:42Z",
    "nvd_published_at": "2023-05-26T21:15:21Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nXSS can be triggered by review volumes\n\n### PoC\n\n    1. Access setting tab\n    2. Create new assets\n    3. In assets name inject payload: \"\u003cscript\u003ealert(1337)\u003c/script\u003e\n    4. Click Utilities tab\n    5. Choose all volumes, or volume trigger xss\n    6. Click Update asset indexes.\n    7. Wait to assets update success.\n    8. Progress complete.\n    9. Click on review button will trigger XSS\n\n### Root cause\nFunction: index.php?p=admin/actions/asset-indexes/process-indexing-session\u0026v=1680710595770\nAfter loading completed, progess will load: \n\"skippedEntries\"\nand\n\"missingEntries\"\nThese parameters is not yet filtered, I just tried \"skippedEntries\" but I think it will be work with \"missingEntries\"\n\n### My reponse:\n{\n  \"session\": {\n    \"id\": 10,\n    \"indexedVolumes\": {\n      \"6\": \"\\\"\u003cscript\u003ealert(1337)\u003c/script\u003e\"\n    },\n    \"totalEntries\": 2235,\n    \"processedEntries\": 2235,\n    \"cacheRemoteImages\": true,\n    \"listEmptyFolders\": false,\n    \"isCli\": false,\n    \"actionRequired\": true,\n    \"dateCreated\": \"Apr 5, 2023, 9:03:16 AM\",\n    \"skippedEntries\": [\n      \"\\\"\u003cscript\u003ealert(1337)\u003c/script\u003e/assetpreviews/Image.php\",\n      \"\\\"\u003cscript\u003ealert(1337)\u003c/script\u003e/assetpreviews/Pdf.php\"\n    ],\n    \"missingEntries\": {\n      \"folders\": [],\n      \"files\": []\n    },\n    \"processIfRootEmpty\": false\n  },\n  \"skipDialog\": false\n}\n\n\n\nResolved in https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7",
  "id": "GHSA-cjmm-x9x9-m2w5",
  "modified": "2023-05-26T21:50:36Z",
  "published": "2023-05-26T13:55:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33196"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/4.4.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Craft CMS stored XSS in review volume"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-33196

Vulnerability from cvelistv5

gsd-2023-33196

Vulnerability from gsd

ghsa-cjmm-x9x9-m2w5

Vulnerability from github

Summary

PoC

Root cause

My reponse:

Tags

Sightings

Nomenclature