Miggo Logo
Miggo Vulnerability Database
CVE-2022-37247

CVE-2022-37247: Craft CMS vulnerable to stored Cross-site Scripting via /admin/settings/fields page

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-37247
GHSA ID
GHSA-3cvm-7wrh-qrf9
EPSS Score
0.35541%
CWE
CWE-79
Published
9/17/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
craftcms/cmscomposer>= 4.0.0-RC1, < 4.2.14.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped output of user-controlled data in field configuration UIs. The patch adds HTML encoding:

  1. In Cp.php, Html::encode() was added to $tab->name and $groupName outputs
  2. In index.twig, the |e filter was added to group.name translation These locations previously directly output user-controlled field/tab/group names without sanitization, enabling stored XSS payloads to execute in the admin panel.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*r**t *MS *.*.*.* is vuln*r**l* to stor** * *ross-sit* s*riptin* (XSS) vi* /**min/s*ttin*s/*i*l*s p***.

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** output o* us*r-*ontroll** **t* in *i*l* *on*i*ur*tion UIs. T** p*t** ***s *TML *n*o*in*: *. In *p.p*p, *tml::*n*o**() w*s ***** to $t**->n*m* *n* $*roupN*m* outputs *. In in**x.twi*, t** |* *ilt*r w*s ***** to *