VYPR
← All advisories
Moderate severityNVD Advisory· Published May 7, 2021· Updated Aug 3, 2024

CVE-2021-32470

CVE-2021-32470

Description

Craft CMS before 3.6.13 has an XSS vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Craft CMS versions before 3.6.13 contain a stored XSS vulnerability in the field layout tab naming prompt.

Vulnerability

Analysis

CVE-2021-32470 is a cross-site scripting (XSS) vulnerability present in Craft CMS prior to version 3.6.13. The issue arises in the field layout designer's tab naming function. When a user renames a tab, the application called JavaScript's prompt() function and directly used the user-provided input without sanitization [3]. This allowed malicious script content to be injected and later rendered in the browser without proper escaping.

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have administrative access to the Craft CMS control panel, specifically the ability to edit field layouts (e.g., content designers or admins). The attack vector is network-based and requires user interaction—the victim must click through the tab rename prompt and submit crafted input [1][3]. The vulnerability is classified as XSS (CWE-79) and carries a CVSS v3.1 score of 4.8 (Medium) due to the need for authenticated access and user interaction [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript within the context of the victim's browser session in the Craft CMS control panel. This can lead to session hijacking, defacement, or redirection to malicious sites, but only against users who have already authenticated to the CMS [1].

Mitigation

The vulnerability was patched in Craft CMS version 3.6.13, released on May 4, 2021. The fix wraps the user input with Craft.escapeHtml() before passing it to prompt(), preventing injected HTML or JavaScript from being interpreted as code [3]. Users are strongly advised to upgrade to version 3.6.13 or later. No workarounds have been published; however, restricting field layout editing privileges to trusted users can reduce exposure [2].

References
  1. NVD - CVE-2021-32470
  2. cms/CHANGELOG.md at 3.6.13 · craftcms/cms
  3. Fixed an XSS vulnerability · craftcms/cms@f9378aa

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/cmsPackagist
< 3.6.133.6.13

Affected products

2

Patches

1
f9378aa154b5

Fixed an XSS vulnerability

https://github.com/craftcms/cmsbrandonkellyApr 30, 2021via ghsa
commit
4 files changed · +6 3
  • CHANGELOG.md+3 0 modified
    @@ -5,6 +5,9 @@
 ### Fixed
 - Fixed a bug where Matrix fields’ Configuration settings weren’t expanding when nested field settings got taller. ([#7827](https://github.com/craftcms/cms/issues/7827))
 
+### Security
+- Fixed an XSS vulnerability.
+
 ## 3.6.12.1 - 2021-04-29
 
 ### Fixed
  • src/web/assets/cp/dist/js/Craft.min.js+1 1 modified
  • src/web/assets/cp/dist/js/Craft.min.js.map+1 1 modified
  • src/web/assets/cp/src/js/FieldLayoutDesigner.js+1 1 modified
    @@ -223,7 +223,7 @@ Craft.FieldLayoutDesigner = Garnish.Base.extend({
     },
 
     promptForTabName: function(oldName) {
-        return prompt(Craft.t('app', 'Give your tab a name.'), oldName);
+        return Craft.escapeHtml(prompt(Craft.t('app', 'Give your tab a name.'), oldName));
     },
 
     removeTab: function($tab) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.