PT-2020-13742 · Craft Cms · Craft Cms Comments Plugin

Paweł Hałdrzyński

Published

2020-06-05

Updated

2022-05-24

CVE-2020-13869

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Comments plugin for Craft CMS versions prior to 1.5.6

Description The issue is related to stored XSS via a guest name. This allows for malicious code to be stored and executed when a user interacts with the affected component.

Recommendations For versions prior to 1.5.6, update to version 1.5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the Comments plugin until the update is applied. Avoid using the guest name field in the Comments plugin until the issue is resolved.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-13869

GHSA-JHHF-C849-3RH2

Affected Products

Craft Cms Comments Plugin

PT-2020-13742 · Craft Cms · Craft Cms Comments Plugin

CVE-2020-13869

Weakness Enumeration

Related Identifiers

Affected Products

References · 5