CVE-2023-43341
Description
Reflected XSS in Evolution CMS 3.2.3 installation process via uid parameter allows arbitrary script execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Evolution CMS 3.2.3 installation process via uid parameter allows arbitrary script execution.
Vulnerability
CVE-2023-43341 is a reflected Cross-Site Scripting (XSS) vulnerability in Evolution CMS version 3.2.3 [1]. The root cause is insufficient sanitization of the uid parameter during the database installation process, allowing an attacker to inject arbitrary JavaScript [3].
Exploitation
An attacker can craft a malicious URL containing a payload such as '"<svg/onload=alert('XSS')> in the uid parameter [3]. When a user follows the link during the installation wizard and proceeds to the next step, the payload executes in the context of the vulnerable page [3]. The attack requires the victim to be in the installation process, but no authentication is needed beyond that.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the user's browser. This can lead to session hijacking, redirection to malicious sites, or theft of sensitive information exposed during installation [1][3].
Mitigation
As of the publication date, no official patch has been released for Evolution CMS 3.2.3 [2]. Users are advised to restrict access to the installation process to trusted networks only and to avoid clicking untrusted links while performing installation [3].
- NVD - CVE-2023-43341
- GitHub - evolution-cms/evolution: Welcome to the Evolution CMS. The world’s fastest, most customizable Open Source PHP CMS. Your creative vision, no restrictions, no compromise.
- GitHub - sromanhu/CVE-2023-43341-Evolution-Reflected-XSS---Installation-Connection-: Evolution CMS 3.2.3 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload in the installation/connection process.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
evolutioncms/evolutionPackagist | <= 3.2.3 | — |
Affected products
2- evolution/evodescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/advisories/GHSA-5h47-9rm5-fx3fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43341ghsaADVISORY
News mentions
0No linked articles in our index yet.