VulnerableCode Package Details - pkg:composer/craftcms/cms@4.4.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-2vn9-2cs3-vbg3 Aliases: CVE-2023-33196 GHSA-cjmm-x9x9-m2w5	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.	4.4.7 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2vn9-2cs3-vbg3
Aliases:
CVE-2023-33196
GHSA-cjmm-x9x9-m2w5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.

4.4.7
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-5pur-jy1x-gfhv	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.	CVE-2023-33197 GHSA-6qjx-787v-6pxr
VCID-hm7h-7cu3-8be1	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a CMS for creating custom digital experiences on the web. The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.	CVE-2023-33194 GHSA-3wxg-w96j-8hq9
VCID-rvrz-498f-2uet	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.	CVE-2023-33195 GHSA-qpgm-gjgf-8c2x
VCID-wcx6-wed9-gub2	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.	CVE-2023-32679 GHSA-vqxf-r9ph-cc9c

Vulnerability

Summary

Aliases

VCID-5pur-jy1x-gfhv

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.

CVE-2023-33197
GHSA-6qjx-787v-6pxr

VCID-hm7h-7cu3-8be1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a CMS for creating custom digital experiences on the web. The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.

CVE-2023-33194
GHSA-3wxg-w96j-8hq9

VCID-rvrz-498f-2uet

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.

CVE-2023-33195
GHSA-qpgm-gjgf-8c2x

VCID-wcx6-wed9-gub2

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2023-32679
GHSA-vqxf-r9ph-cc9c

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:44:54.232046+00:00	GitLab Importer	Fixing	VCID-rvrz-498f-2uet	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2023-33195.yml	38.6.0
2026-06-02T04:44:53.937430+00:00	GitLab Importer	Affected by	VCID-2vn9-2cs3-vbg3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2023-33196.yml	38.6.0
2026-06-02T04:44:53.672730+00:00	GitLab Importer	Fixing	VCID-hm7h-7cu3-8be1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2023-33194.yml	38.6.0
2026-06-02T04:44:53.569751+00:00	GitLab Importer	Fixing	VCID-5pur-jy1x-gfhv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2023-33197.yml	38.6.0
2026-06-02T04:44:50.559214+00:00	GitLab Importer	Fixing	VCID-wcx6-wed9-gub2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2023-32679.yml	38.6.0