Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- CrafterCMS 4.0.2 Cross Site Scripting[6]
- Authored by EgiX[7] | Site karmainsecurity.com[8]
-
CrafterCMS versions 4.0.2 and below suffer from multiple cross site scripting vulnerabilities.
- advisories | CVE-2023-4136[9]
- SHA-256 |
4048cc73ca79593508defbbf3c0df5f379960818368d8961aa031904ca5e521e
- Download[10] | Favorite[11] | View[12]
Change Mirror[13] Download[14]
---------------------------------------------------------------------------
CrafterCMS <= 4.0.2 Multiple Reflected Cross-Site Scripting
Vulnerabilities
---------------------------------------------------------------------------
[-] Software Link:
https://craftercms.org
[-] Affected Versions:
Version 4.0.2 and prior versions.
Version 3.1.27 and prior versions.
[-] Vulnerabilities Description:
There are multiple Reflected Cross-Site Scripting vulnerabilities
affecting CrafterCMS.
The vulnerabilities exist in every API endpoint that reflect some input
parameter and
do produce XML responses. Following are some examples:
• /api/1/site/url/transform - url and transformerName parameters are
affected
• /api/1/site/content_store/children - url parameter is affected
• /api/1/site/content_store/item - url parameter is affected
[-] Solution:
Upgrade to version 4.0.3, 3.1.28, or later.
[-] Disclosure Timeline:
[22/11/2022] - Vendor notified
[24/03/2023] - Fixed versions released
[03/08/2023] - CVE number assigned
[23/08/2023] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2023-4136 to these vulnerabilities.
[-] Credits:
Vulnerabilities discovered by Egidio Romano, working with IMQ Minded
Security.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2023-09
[-] Other References:
https://docs.craftercms.org/en/4.1/security/advisory.html#cv-2023080301
File Tags
- ActiveX[20] (932)
- Advisory[21] (82,006)
- Arbitrary[22] (16,212)
- BBS[23] (2,859)
- Bypass[24] (1,740)
- CGI[25] (1,026)
- Code Execution[26] (7,282)
- Conference[27] (679)
- Cracker[28] (841)
- CSRF[29] (3,347)
- DoS[30] (23,453)
- Encryption[31] (2,370)
- Exploit[32] (51,952)
- File Inclusion[33] (4,222)
- File Upload[34] (976)
- Firewall[35] (821)
- Info Disclosure[36] (2,785)
- Intrusion Detection[37] (892)
- Java[38] (3,045)
- JavaScript[39] (859)
- Kernel[40] (6,681)
- Local[41] (14,456)
- Magazine[42] (586)
- Overflow[43] (12,693)
- Perl[44] (1,423)
- PHP[45] (5,147)
- Proof of Concept[46] (2,338)
- Protocol[47] (3,602)
- Python[48] (1,535)
- Remote[49] (30,799)
- Root[50] (3,587)
- Rootkit[51] (508)
- Ruby[52] (612)
- Scanner[53] (1,640)
- Security Tool[54] (7,888)
- Shell[55] (3,186)
- Shellcode[56] (1,215)
- Sniffer[57] (894)
- Spoof[58] (2,207)
- SQL Injection[59] (16,383)
- TCP[60] (2,406)
- Trojan[61] (687)
- UDP[62] (893)
- Virus[63] (665)
- Vulnerability[64] (31,788)
- Web[65] (9,670)
- Whitepaper[66] (3,750)
- x86[67] (962)
- XSS[68] (17,953)
- Other[69]
File Archives
- August 2023[70]
- July 2023[71]
- June 2023[72]
- May 2023[73]
- April 2023[74]
- March 2023[75]
- February 2023[76]
- January 2023[77]
- December 2022[78]
- November 2022[79]
- October 2022[80]
- September 2022[81]
- Older[82]
Systems
- AIX[83] (428)
- Apple[84] (2,002)
- BSD[85] (373)
- CentOS[86] (57)
- Cisco[87] (1,925)
- Debian[88] (6,819)
- Fedora[89] (1,692)
- FreeBSD[90] (1,244)
- Gentoo[91] (4,322)
- HPUX[92] (879)
- iOS[93] (351)
- iPhone[94] (108)
- IRIX[95] (220)
- Juniper[96] (67)
- Linux[97] (46,504)
- Mac OS X[98] (686)
- Mandriva[99] (3,105)
- NetBSD[100] (256)
- OpenBSD[101] (485)
- RedHat[102] (13,750)
- Slackware[103] (941)
- Solaris[104] (1,610)
- SUSE[105] (1,444)
- Ubuntu[106] (8,835)
- UNIX[107] (9,291)
- UnixWare[108] (186)
- Windows[109] (6,574)
- Other[110]
- Services
- Security Services[121]
- Hosting By
- Rokasec[122]