CVE-2023-7035

Name of the Vulnerable Software and Affected Versions automad versions up to 1.10.9

Description A vulnerability was found in automad, allowing for cross-site scripting due to the manipulation of the sitename argument. This issue affects some unknown functionality of the file packagesstandardtemplatespost.php of the component Setting Handler. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vulnerability is related to the SharedController class that handles form data and saving shared information, which does not properly sanitize user input on the client side when rendering the data.

Recommendations For automad versions up to 1.10.9, consider disabling the sitename argument or restricting its use until a patch is available. As a temporary workaround, ensure proper sanitization of user input on the client side when rendering data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.