5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-33197

CVE-2023-33197: Craft CMS stored XSS in indexedVolumes

Summary

XSS can be triggered via the Update Asset Index utility

PoC

Access setting tab
Create new assets
In assets name inject payload: "<script>alert(26)</script>
Click Utilities tab
Choose all volumes, or volume trigger xss
Click Update asset indexes.

XSS will be triggered

Json response volumes name makes triggers the payload

"session":{"id":1,"indexedVolumes":{"1":"\"<script>alert(26)</script>"},

It’s run on every POST request in the utility.

Resolved in https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-33197

CVE-2023-33197:

5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
craftcms/cms	composer	>= 4.0.0-RC1, <= 4.4.5	4.4.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper HTML escaping when rendering indexed volume names in the asset index utility. The commit 8c2ad0b shows the fix involved replacing dangerous string concatenation with safe DOM manipulation using jQuery.text() method. The original vulnerable code in getIndexingSessionRowHtml() constructed HTML list items directly from user-controlled indexedVolumes data, which contained unsanitized script tags from malicious asset names. The XSS triggers when this HTML is rendered in the admin interface during asset index updates.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-33197: Craft CMS stored XSS in indexedVolumes

Summary

PoC

CVE-2023-33197:

5.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2023-33197: Craft CMS stored XSS in indexedVolumes

Summary

PoC

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.5

5.5

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI