CVE-2023-33196

Name of the Vulnerable Software and Affected Versions Craft versions prior to 4.4.7

Description Cross-site scripting (XSS) can be triggered by review volumes. The issue is related to the index.php?p=admin/actions/asset-indexes/process-indexing-session function, where the skippedEntries and missingEntries parameters are not properly filtered. This allows an attacker to inject malicious scripts, such as <script>alert(1337)</script>, into the assets name, which can be triggered when clicking the review button.

Recommendations For versions prior to 4.4.7, update to version 4.4.7 to resolve the issue. As a temporary workaround, consider restricting access to the index.php?p=admin/actions/asset-indexes/process-indexing-session endpoint until the update is applied. Additionally, avoid using the skippedEntries and missingEntries parameters in the affected API endpoint until the issue is resolved.