VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 4, 2023· Updated Oct 9, 2024

Improper Neutralization of Special Elements in Output Used by a Downstream Component in omeka/omeka-s

CVE-2023-4157

Description

A stored cross-site scripting (XSS) vulnerability in Omeka S prior to 4.0.3 allows attackers to inject arbitrary scripts via unescaped installation title.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored cross-site scripting (XSS) vulnerability in Omeka S prior to 4.0.3 allows attackers to inject arbitrary scripts via unescaped installation title.

Vulnerability

Overview

CVE-2023-4157 is a stored cross-site scripting (XSS) vulnerability in Omeka S, a web publication system for cultural heritage institutions. The flaw arises from improper neutralization of special elements in output used by a downstream component (CWE-74). Specifically, the installation title was not properly escaped when displayed in the admin dashboard header and welcome message, allowing injection of arbitrary HTML or JavaScript.

Exploitation

Prerequisites

An attacker must have administrative access to the Omeka S installation, as the installation title can be modified through the settings interface [1]. The unescaped title is rendered in multiple locations, including the top navigation bar and the dashboard welcome page [3]. No other special privileges or network position is required beyond admin credentials.

Impact

Successful exploitation enables stored XSS, which could lead to session hijacking, execution of arbitrary actions in the context of the victim admin user, or sensitive data exfiltration. The impact is limited to the admin interface, but could affect other administrators who view the dashboard.

Mitigation

Status

Omeka S version 4.0.3 and later include the fix, which wraps the installation title output with escapeHtml() in views/layout.phtml and views/index/index.phtml [3]. No workaround is documented; upgrading is the recommended course of action [2].

References
  1. GitHub - omeka/omeka-s: Omeka S is a web publication system for universities, galleries, libraries, archives, and museums. It consists of a local network of independently curated exhibits sharing a collaboratively built pool of items, media, and their metadata.
  2. NVD - CVE-2023-4157
  3. Escape installation title when displaying · omeka/omeka-s@8b72619

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
omeka/omeka-sPackagist
< 4.0.34.0.3

Affected products

2

Patches

1
8b72619d9731

Escape installation title when displaying

https://github.com/omeka/omeka-sJohn FlatnessJul 28, 2023via ghsa
commit
3 files changed · +3 3
  • application/view/layout/layout-admin.phtml+1 1 modified
    @@ -37,7 +37,7 @@ $this->trigger('view.layout');
         <a href="#content" class="skip"><?php echo $translate('Skip to main content'); ?></a>
         <div class="flex">
             <header>
-                <div class="logo"><a href="<?php echo $this->url('admin'); ?>"><?php echo $this->setting('installation_title', 'Omeka S'); ?></a></div>
+                <div class="logo"><a href="<?php echo $this->url('admin'); ?>"><?php echo $escape($this->setting('installation_title', 'Omeka S')); ?></a></div>
                 <div id="mobile-nav">
                     <a href="#" class="o-icon-menu button"><span class="screen-reader-text"><?php echo $translate('Navigation menu'); ?></span></a>
                     <a href="#" class="o-icon-search button"><span class="screen-reader-text"><?php echo $translate('Search site'); ?></span></a>
  • application/view/omeka/admin/index/browse.phtml+1 1 modified
    @@ -6,7 +6,7 @@ echo $this->pageTitle($translate('Admin dashboard'));
 
 <div id="dashboard">
     <?php echo $this->partial('common/version-notification'); ?>
-    <p><?php echo sprintf($translate('Welcome to the %s admin dashboard!'), $title); ?></p>
+    <p><?php echo sprintf($translate('Welcome to the %s admin dashboard!'), $this->escapeHtml($title)); ?></p>
     <?php $this->trigger('view.browse.before'); ?>
     <div id="manage-resources" class="panel">
         <h2><?php echo $translate('Manage resources'); ?></h2>
  • application/view/omeka/index/index.phtml+1 1 modified
    @@ -31,5 +31,5 @@ endforeach;
 <p><?php echo sprintf(
     $translate('Go to the %1$s to start working with %2$s.'),
     $this->hyperlink($translate('Admin dashboard'), $this->url('admin')),
-    $title
+    $this->escapeHtml($title)
 ); ?></p>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.