CVE-2023-31144

Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
GitHub_MCNA
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
VendorProductVersion
craftcmscraft_cms
3.0.0 ≤
𝑥
≤ 3.8.3
craftcmscraft_cms
4.0.0 ≤
𝑥
≤ 4.4.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442
https://github.com/craftcms/cms/security/advisories/GHSA-j4mx-98hw-6rv6
https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442
https://github.com/craftcms/cms/security/advisories/GHSA-j4mx-98hw-6rv6