{ "schema_version": "1.4.0", "id": "GHSA-mw37-wx8p-gp45", "modified": "2022-09-26T19:38:08Z", "published": "2022-09-17T00:00:30Z", "aliases": [ "CVE-2022-37251" ], "summary": "Craft CMS vulnerable to Cross-site Scripting via entry revisions and drafts", "details": "Craft CMS `3.70-RC1`–`3.7.55.1` and `4.0.0-RC1`–`4.2.0.1` are vulnerable to Cross Site Scripting (XSS) via entry revisions and drafts. Versions `3.7.55.2` and `4.2.1` contain patches for this issue.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "affected": [ { "package": { "ecosystem": "Packagist", "name": "craftcms/cms" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.7.0-beta.1" }, { "fixed": "3.7.55.2" } ] } ] }, { "package": { "ecosystem": "Packagist", "name": "craftcms/cms" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0-RC1" }, { "fixed": "4.2.1" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37251" }, { "type": "WEB", "url": "https://github.com/craftcms/cms/commit/7139213dbd9e177a3528aac8e2db8de91830f118" }, { "type": "WEB", "url": "https://github.com/craftcms/cms/commit/919c9074ff8596bf30a629b0888c529793e9a903" }, { "type": "WEB", "url": "https://github.com/craftcms/cms/commit/f0d9b8a1e3ac005a2418f7d3d9059b49a96e73ea" }, { "type": "PACKAGE", "url": "https://github.com/craftcms/cms" }, { "type": "WEB", "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#421---2022-08-09" }, { "type": "WEB", "url": "https://labs.integrity.pt/advisories/cve-2022-37251" }, { "type": "WEB", "url": "http://craft.com" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-09-20T17:14:36Z", "nvd_published_at": "2022-09-16T22:15:00Z" } }