Moderate severityNVD Advisory· Published Mar 3, 2023· Updated Feb 25, 2025
Craft CMS stored cross-site scripting vulnerability
CVE-2023-23927
Description
Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.3.7 | 4.3.7 |
craftcms/cmsPackagist | >= 3.7.24, < 3.7.64 | 3.7.64 |
Affected products
2Patches
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-qcrj-6ffc-v7hqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-23927ghsaADVISORY
- github.com/craftcms/cms/blob/develop/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-qcrj-6ffc-v7hqghsax_refsource_CONFIRMWEB
- user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.