CVE-2022-37246 - DOM Stored XSS in Craft CMS

1. Vulnerability Properties

Title: DOM Stored XSS in Craft CMS CVE ID: CVE-2022-37246
CVSSv3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
Vendor: Craft CMS
Products: Craft CMS
Advisory Release Date: 7 Sep 2022
Advisory URL: https://labs.integrity.pt/advisories/CVE-2022-37246
Credits: Discovery by Gil Correia <gil.correia[at]devoteam.com>

2. Vulnerability Summary

For this vulnerability is necessary to create two categories, one with the payload that is going to take effect and another with any value. Note that this payload is only executed when the victim adds the tampered Parent since the action is not filtered from the beginning. By adding the tampered Parent to the second category created it’s possible to verify that javascript is executed.

3. Vulnerable Versions

  • 4.* & 3.*

4. Solution

  • Update to version 4.2.1 or higher

5. Vulnerability Timeline

  • 28/07/22 -Vulnerability reported to Craft CMS via their report page.
  • 29/07/22 -Vulnerability verified by vendor.
  • 29/07/22 -Vulnerability fixed by vendor.
  • 07/09/22 -Advisory released.

6. References

  • https://github.com/craftcms/cms/commit/1d5fdba23c84d6d09a8a980c7b6fc52fb93b679b


© 2022 Integrity Part of Devoteam. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.