Описание
Craft CMS XSS in RSS widget feed
Summary
A malformed RSS feed can deliver an XSS payload
PoC
Create an RSS widget and add the domain https://blog.whitebear.vn/file/rss-xss2.rss
The XSS payload will be triggered by the title in tag <item>
Resolved in https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f
Пакеты
Наименование
craftcms/cms
composer
Затронутые версииВерсия исправления
>= 4.3.0, <= 4.4.5
4.4.6
Связанные уязвимости
CVSS3: 5
nvd
больше 2 лет назад
Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.