Moderate severityNVD Advisory· Published Sep 18, 2023· Updated Aug 2, 2024
CVE-2023-37611
CVE-2023-37611
Description
Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file to the neos/management/media component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
neos/media-browserPackagist | < 7.3.19 | 7.3.19 |
neos/media-browserPackagist | >= 8.0.0, < 8.0.16 | 8.0.16 |
neos/media-browserPackagist | >= 8.1.0, < 8.1.11 | 8.1.11 |
neos/media-browserPackagist | >= 8.2.0, < 8.2.11 | 8.2.11 |
neos/media-browserPackagist | >= 8.3.0, < 8.3.9 | 8.3.9 |
Affected products
3- Neos CMS/Neos CMSdescription
- osv-coords2 versions
>= 8.3.3, <= 8.3.3+ 1 more
- (no CPE)range: >= 8.3.3, <= 8.3.3
- (no CPE)range: < 7.3.19
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-6qjf-7g3j-qx25ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-37611ghsaADVISORY
- cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.htmlghsaWEB
- digi.ninja/blog/svg_xss.phpghsaWEB
- github.com/neos/neos-development-collection/commit/4ac0df04d2e44e164e95887b466075dde3f04045ghsaWEB
- github.com/neos/neos-development-collection/issues/4833ghsaWEB
- github.com/neos/neos-development-collection/pull/4812ghsaWEB
- github.com/neos/neos-ui/releases/tag/8.3.4ghsaWEB
- rodelllemit.medium.com/stored-xss-in-neo-cms-8-3-3-9bd1cb973c5bghsaWEB
News mentions
0No linked articles in our index yet.