PT-2023-20063 · Civicrm +1 · Civicrm +1
Published
2023-05-23
·
Updated
2025-01-31
·
CVE-2023-25440
CVSS v3.1
5.4
5.4
Medium
| Base vector | Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
CiviCRM version 5.59.alpha1
Description:
A Stored Cross Site Scripting (XSS) issue exists in the add contact function, allowing attackers to execute arbitrary code in the first/second name field.
Recommendations:
For CiviCRM version 5.59.alpha1, as a temporary workaround, consider restricting input in the first/second name field to minimize the risk of exploitation.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
XSS
Weakness Enumeration
Related Identifiers
BIT-CIVICRM-2023-25440
CVE-2023-25440
Affected Products
Civicrm
Debian
References · 16
- 🔥 https://packetstormsecurity.com/files/172470/CiviCRM-5.59.alpha1-Cross-Site-Scripting.html · Exploit
- 🔥 https://exploit-db.com/exploits/51478 · Exploit
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25440 · Security Note
- https://ubuntu.com/security/CVE-2023-25440 · Vendor Advisory
- https://security-tracker.debian.org/tracker/CVE-2023-25440 · Vendor Advisory
- https://security-tracker.debian.org/tracker/source-package/civicrm · Vendor Advisory
- https://osv.dev/vulnerability/BIT-civicrm-2023-25440 · Vendor Advisory
- https://osv.dev/vulnerability/CVE-2023-25440 · Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-25440 · Security Note
- https://osv.dev/vulnerability/UBUNTU-CVE-2023-25440 · Vendor Advisory
- https://cve.org/CVERecord?id=CVE-2023-25440 · Security Note
- https://t.me/cibsecurity/64608 · Telegram Post
- https://civicrm.org · Note
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25440 · Note
- https://t.me/cvenotify/109409 · Telegram Post