CVE-2022-37721

Name of the Vulnerable Software and Affected Versions PyroCMS version 3.9

Description The issue allows a low-privileged user, such as an author, to inject crafted HTML and JavaScript payload in a blog post, leading to full admin account takeover or privilege escalation. This is a stored Cross Site Scripting (XSS) issue.

Recommendations For PyroCMS version 3.9, consider restricting the ability of low-privileged users to inject HTML and JavaScript code in blog posts until a patch is available. As a temporary workaround, disabling the blog post feature for low-privileged users may help minimize the risk of exploitation.