CVE-2023-4136

Summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.This issue affects CrafterCMS: from 4.0.0 through 4.0.2, from 3.1.0 through 3.1.27.

Affected Software

VendorProductVersion RangeStatus
CrafterCMSCrafterCMS4.0.0 <= 4.0.2affected
CrafterCMSCrafterCMS3.1.0 <= 3.1.27affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Workarounds

  • Add a WAF to inspect and filter these types of attacks
  • Disable external access to these APIs if not in active use by the rendering application

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References