CVE-2023-33196
Craft CMS stored XSS in review volume
Description
### Summary XSS can be triggered by review volumes ### PoC 1. Access setting tab 2. Create new assets 3. In assets name inject payload: "<script>alert(1337)</script> 4. Click Utilities tab 5. Choose all volumes, or volume trigger xss 6. Click Update asset indexes. 7. Wait to assets update success. 8. Progress complete. 9. Click on review button will trigger XSS ### Root cause Function: index.php?p=admin/actions/asset-indexes/process-indexing-session&v=1680710595770 After loading completed, progess will load: "skippedEntries" and "missingEntries" These parameters is not yet filtered, I just tried "skippedEntries" but I think it will be work with "missingEntries" ### My reponse: { "session": { "id": 10, "indexedVolumes": { "6": "\"<script>alert(1337)</script>" }, "totalEntries": 2235, "processedEntries": 2235, "cacheRemoteImages": true, "listEmptyFolders": false, "isCli": false, "actionRequired": true, "dateCreated": "Apr 5, 2023, 9:03:16 AM", "skippedEntries": [ "\"<script>alert(1337)</script>/assetpreviews/Image.php", "\"<script>alert(1337)</script>/assetpreviews/Pdf.php" ], "missingEntries": { "folders": [], "files": [] }, "processIfRootEmpty": false }, "skipDialog": false } Resolved in https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7
How to fix CVE-2023-33196
To remediate CVE-2023-33196, upgrade the affected package to a fixed version below.
- —upgrade to 4.4.7 or later
Is CVE-2023-33196 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.0.0-RC1, < 4.4.7