CVE-2023-48701 HIGH

CVE-2023-48701: Statamic CMS vulnerable to Cross-site Scripting via uploaded assets

Vendor Statamic
Product cms
Weakness CWE-79 · XSS
Published November 21, 2023
Last update August 2, 2024
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H

What the vulnerability does

01Description

Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication. This issue has been patched on 3.4.15 and 4.36.0.

Key dates

02Disclosure timeline

November 21, 2023 CVE published
August 2, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-53758 WordPress WP MathJax plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability CVE-2023-46086 WordPress affiliate-toolkit – WordPress Affiliate Plugin Plugin <= 3.4.3 is vulnerable to Cross Site Scripting (XSS) CVE-2026-39541 WordPress Hydra Booking plugin <= 1.1.38 - Cross Site Scripting (XSS) vulnerability CVE-2014-125078 yanheven console horizon.instances.js cross site scripting CVE-2023-25789 WordPress Tapfiliate Plugin <= 3.0.12 is vulnerable to Cross Site Scripting (XSS)