exploitDog

GHSA-6qjf-7g3j-qx25

Опубликовано: 19 сент. 2023

Источник: github

Github: Прошло ревью

CVSS3: 5.4

Описание

Neos CMS Cross Site Scripting vulnerability

Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file uploaded to the neos/management/media component. To make use of this attack vector, the attacker must either be able to upload a maliciously crafted file or coerce someone with the needed access to upload said file to Neos. Even if such a file is uploaded and subsequently delivered, it is possible to use CSP to protect against attacks being executed from such a file.

Ссылки

Пакеты

Наименование

neos/media-browser

composer

Затронутые версииВерсия исправления

< 7.3.19

7.3.19

Наименование

neos/media-browser

composer

Затронутые версииВерсия исправления

>= 8.0.0, < 8.0.16

8.0.16

Наименование

neos/media-browser

composer

Затронутые версииВерсия исправления

>= 8.1.0, < 8.1.11

8.1.11

Наименование

neos/media-browser

composer

Затронутые версииВерсия исправления

>= 8.2.0, < 8.2.11

8.2.11

Наименование

neos/media-browser

composer

Затронутые версииВерсия исправления

>= 8.3.0, < 8.3.9

8.3.9

EPSS

Процентиль: 50%

0.0027

Низкий

5.4 Medium

CVSS3

CVE ID

Дефекты

CWE-79

Связанные уязвимости

CVE-2023-37611

CVSS3: 5.4

nvd

больше 2 лет назад

Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file to the neos/management/media component.

EPSS

Процентиль: 50%

0.0027

Низкий

5.4 Medium

CVSS3

CVE ID

Дефекты

CWE-79