Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Craft CMS - CVE-2024-45406

 

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Craft CMS - CVE-2024-45406

Published: September 9, 2024 / Updated: April 17, 2026


Vulnerability identifier: #VU126472
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-45406
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Pixel & Tonic, Inc.
Affected software:
Craft CMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in the control panel.

The vulnerability exists due to improper neutralization of input during web page generation in breadcrumb list and title fields when rendering stored user-supplied category titles, entry titles, usernames, or full names. A remote user can store a specially crafted value in these fields to execute arbitrary script in the control panel.

User interaction is required to view an affected control panel page.


How to mitigate CVE-2024-45406

Install security update from vendor's website.

Sources