Description

A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively.

Remediation

References

CVE-2023-2817

Related Vulnerabilities

Plone CMS Permissions, Privileges, and Access Controls Vulnerability (CVE-2016-4041)

WordPress Plugin Tutor LMS-eLearning and online course solution Cross-Site Request Forgery (2.6.1)

WordPress Plugin Email Artillery (MASS EMAIL) Multiple Vulnerabilities (4.1)

Roundcube Incorrect Resource Transfer Between Spheres Vulnerability (CVE-2026-35544)

WordPress Plugin Contact Form Builder-a plugin for creating contact and feedback forms Cross-Site Request Forgery (1.0.68)

Severity

Medium

Classification

CVE-2023-2817 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities