# \[CVE-2023-30177] Stored - Cross Site Script (XSS)

**Exploit Author:** Dat Nguyen aka datnlq of VietSunshine Cyber Security Services

**Vendor of Product:** CraftCMS

**Affected Product Code Base:** 3.7.59

**CVE:** CVE-2023-30177

**Description:** CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.

**Steps to reproduce**:

1. Create new Field (Settings -> Fields -> New Field) with type of Field Type is Assets
2. Create new Volume (Settings -> Assets -> Volumes -> New Volume), inject malicious javascript code into Name Field and setting Field created at step 1 to Content.
3. Create new Global set (Settings -> Globals -> New Global set). At Field Layout, create New Tab and add field that created at Step 1
4. Go to Globals -> Click Global set created at Step 3 -> Choose 'Upload files' and upload arbitrary file to server
5. Double click on the uploaded file at step 4, XSS will be executed

&#x20;