CVE-2023-46252

CVSS 3.1 Score 6.1 of 10 (medium)

Details

Published Nov 7, 2023
Updated: Nov 15, 2023
CWE ID 79

Summary

CVE-2023-46252 is a newly discovered vulnerability affecting Squidex, an open-source headless CMS and content management hub. The issue lies in the missing origin verification in a postMessage handler, which introduces a Cross-Site Scripting (XSS) vulnerability. Three class-like functions, SquidexSidebar, SquidexWidget, and SquidexFormField, define global message event listeners in the editor-sdk.js file. These listeners take actions based on the message type and can be exploited by an attacker to inject malicious scripts. For instance, when the SquidexFormField receives a message with the type valueChanged, the value property is updated, and passing an attacker-controlled value to this function leads to the XSS vulnerability. This vulnerability can be exploited by an attacker by manipulating the editor-editorjs.html file, which is accessible via the public wwwroot folder.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2023-46252 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future
  • Gain complete coverage of your cyber, third party, and physical attack surface
  • Proactively mitigate threats before they turn into costly attacks
  • Make fast, effective, data-driven decisions