CVE-2023-36828

low-risk
Published 2023-07-05

Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the `sanitize` function. Version 4.10.0 contains a patch for this issue.

Do I need to act?

-
0.30% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Affected Vendors

Statamic

References (12)

Product https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/sr...
Product https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/sr...
Patch https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d
Patch https://github.com/statamic/cms/pull/8408
Release Notes https://github.com/statamic/cms/releases/tag/v4.10.0
Exploit https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g
Product https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/sr...
Product https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/sr...
Patch https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d
Patch https://github.com/statamic/cms/pull/8408
Release Notes https://github.com/statamic/cms/releases/tag/v4.10.0
Exploit https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g
23
/ 100
low-risk
Severity 17/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal