CrafterCMS <= 4.0.2 Multiple Reflected Cross-Site Scripting Vulnerabilities

• Software Link:

• Affected Versions:

Version 4.0.2 and prior versions.
Version 3.1.27 and prior versions.

• Vulnerabilities Description:

There are multiple Reflected Cross-Site Scripting vulnerabilities affecting CrafterCMS. The vulnerabilities exist in every API endpoint that reflect some input parameter and do produce XML responses. Following are some examples:

• /api/1/site/url/transform – url and transformerName parameters are affected
• /api/1/site/content_store/children – url parameter is affected
• /api/1/site/content_store/item – url parameter is affected

• Solution:

Upgrade to version 4.0.3, 3.1.28, or later.

• Disclosure Timeline:

[22/11/2022] – Vendor notified
[24/03/2023] – Fixed versions released
[03/08/2023] – CVE number assigned
[23/08/2023] – Publication of this advisory

• CVE Reference:

The Common Vulnerabilities and Exposures project (
has assigned the name CVE-2023-4136 to these vulnerabilities.

• Credits:

Vulnerabilities discovered by Egidio Romano, working with IMQ Minded Security.

• Other References: