Cyber Resilience

CVE-2023-23927

MediumPublic PoC

Published: 03 March 2023

Published
03 March 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0275 86.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-23927 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Craftcms Craft Cms. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 13.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Craft CMS is affected by a stored cross-site scripting vulnerability tracked as CVE-2023-23927. An attacker can supply a malicious payload in the label name or instruction field of an entry type; the payload is subsequently rendered without proper escaping inside the Quick Post widget on the administrative dashboard. The issue was present in versions prior to 4.3.7 and carries a CVSS 3.1 score of 6.1 with CWE-79.

Because the attack requires only network access and a victim to view the dashboard, an unauthenticated or low-privileged user who can create or edit entry types can cause script execution in the context of an administrative session. Successful exploitation yields the ability to read or modify limited dashboard content and potentially perform actions on behalf of the logged-in administrator.

The official Craft CMS changelog and the GitHub Security Advisory GHSA-qcrj-6ffc-v7hq state that the flaw is resolved in version 4.3.7; administrators are advised to upgrade promptly and to review any custom entry-type definitions that may contain untrusted label or instruction text.

EPSS for the CVE rose from a low baseline to a peak of 0.0955 on 2026-01-13 before receding to the current value of 0.0275, indicating a period of increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has…

more

been fixed in version 4.3.7.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

craftcms
craft cms
≤ 4.3.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References