Title: DOM Stored XSS in Craft CMS
CVE ID: CVE-2022-37246
CVSSv3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
Vendor: Craft CMS
Products: Craft CMS
Advisory Release Date: 7 Sep 2022
Advisory URL: https://labs.integrity.pt/advisories/CVE-2022-37246
Credits: Discovery by Gil Correia <gil.correia[at]devoteam.com>
For this vulnerability is necessary to create two categories, one with the payload that is going to take effect and another with any value. Note that this payload is only executed when the victim adds the tampered Parent since the action is not filtered from the beginning. By adding the tampered Parent to the second category created it’s possible to verify that javascript is executed.
© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy