CVE-2023-36260 - OpenCVE

An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about code provided by the Craft CMS product; it is only a report about the Feed Me plugin. NOTE: a third-party report states that commit b5d6ede51848349bd91bc95fec288b6793f15e28 has "nothing to do with security."

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Craftcms	Craft Cms

Configuration 1 [-]

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28
https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29	Broken Link
https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2024-01-30T00:00:00

Updated: 2024-02-06T06:58:37.021505

Reserved: 2023-06-21T00:00:00

Link: CVE-2023-36260

JSON object: View

NVD Information

Status : Modified

Published: 2024-01-30T09:15:47.440

Modified: 2024-05-17T02:25:39.410

Link: CVE-2023-36260

JSON object: View

Redhat Information

No data.

CWE

CWE-74

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "8622F89B-52E2-4EE9-96CB-4A411E27F065", "versionEndExcluding": "4.6.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about code provided by the Craft CMS product; it is only a report about the Feed Me plugin. NOTE: a third-party report states that commit b5d6ede51848349bd91bc95fec288b6793f15e28 has \"nothing to do with security.\""}, {"lang": "es", "value": "Un problema descubierto en Craft CMS versi\u00f3n 4.6.1. permite a atacantes remotos provocar una denegaci\u00f3n de servicio (DoS) a trav\u00e9s de una cadena manipulada en los campos Feed-Me Name y Feed-Me URL debido a que se guarda un feed utilizando un tipo de elemento Asset sin volumen seleccionado."}], "id": "CVE-2023-36260", "lastModified": "2024-05-17T02:25:39.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-30T09:15:47.440", "references": [{"source": "cve@mitre.org", "url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}