egix@karmainsecurity ~ $

CrafterCMS <= 4.0.2 Multiple Reflected Cross-Site Scripting Vulnerabilities

• Software Link:

https://craftercms.org

• Affected Versions:

Version 4.0.2 and prior versions. Version 3.1.27 and prior versions.

• Vulnerabilities Description:

There are multiple Reflected Cross-Site Scripting vulnerabilities affecting CrafterCMS. The vulnerabilities exist in every API endpoint that reflect some input parameter and do produce XML responses. Following are some examples:

  • /api/1/site/url/transform – url and transformerName parameters are affected
  • /api/1/site/content_store/children – url parameter is affected
  • /api/1/site/content_store/item – url parameter is affected

• Solution:

Upgrade to version 4.0.3, 3.1.28, or later.

• Disclosure Timeline:

[22/11/2022] – Vendor notified

[24/03/2023] – Fixed versions released

[03/08/2023] – CVE number assigned

[23/08/2023] – Publication of this advisory

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-4136 to these vulnerabilities.

• Credits:

Vulnerabilities discovered by Egidio Romano, working with IMQ Minded Security.

• Other References:

https://docs.craftercms.org/en/4.1/security/advisory.html#cv-2023080301