5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-37611

GHSA ID

GHSA-6qjf-7g3j-qx25

EPSS Score

0.5031%

CWE

CWE-79

Published

9/19/2023

Updated

1/16/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-37611

CVE-2023-37611: Neos CMS Cross Site Scripting vulnerability

Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file uploaded to the neos/management/media component. To make use of this attack vector, the attacker must either be able to upload a maliciously crafted file or coerce someone with the needed access to upload said file to Neos. Even if such a file is uploaded and subsequently delivered, it is possible to use CSP to protect against attacks being executed from such a file.

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-37611

GHSA ID

GHSA-6qjf-7g3j-qx25

EPSS Score

0.5031%

CWE

CWE-79

Published

9/19/2023

Updated

1/16/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
neos/media-browser	composer	< 7.3.19	7.3.19
neos/media-browser	composer	>= 8.0.0, < 8.0.16	8.0.16
neos/media-browser	composer	>= 8.1.0, < 8.1.11	8.1.11
neos/media-browser	composer	>= 8.2.0, < 8.2.11	8.2.11
neos/media-browser	composer	>= 8.3.0, < 8.3.9	8.3.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from rendering direct links (assetProxy.originalUri) to uploaded SVG files without proper content validation. The pre-patch code in showAction and editAction passed untrusted asset proxies to views that generated <a href> links. The fix introduced a checkForMaliciousContent() method to validate SVGs before allowing original URI links, confirming these controller actions were the vulnerable entry points. The templates' use of assetProxy.originalUri in anchor tags without prior validation created the XSS vector when malicious SVGs were accessed directly.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* (XSS) vuln*r**ility in N*os *MS *.*.* *llows * r*mot* *ut**nti**t** *tt**k*r to *x**ut* *r*itr*ry *o** vi* * *r**t** SV* *il* uplo**** to t** `n*os/m*n***m*nt/m**i*` *ompon*nt. To m*k* us* o* t*is *tt**k v**tor, t** *tt**k*r must

Reasoning

T** vuln*r**ility st*mm** *rom r*n**rin* *ir**t links (*ss*tProxy.ori*in*lUri) to uplo**** SV* *il*s wit*out prop*r *ont*nt v*li**tion. T** pr*-p*t** *o** in s*ow**tion *n* **it**tion p*ss** untrust** *ss*t proxi*s to vi*ws t**t **n*r*t** <* *r**> li

5.4

Basic Information

Concerned about an active attack path?

CVE-2023-37611: Neos CMS Cross Site Scripting vulnerability

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI