CrafterCMS <= 4.0.2 Multiple Reflected Cross-Site Scripting   
[-] Software Link:  
[-] Affected Versions:  
Version 4.0.2 and prior versions.  
Version 3.1.27 and prior versions.  
[-] Vulnerabilities Description:  
There are multiple Reflected Cross-Site Scripting vulnerabilities   
affecting CrafterCMS.  
The vulnerabilities exist in every API endpoint that reflect some input   
parameter and  
do produce XML responses. Following are some examples:  
โ€ข /api/1/site/url/transform - url and transformerName parameters are   
โ€ข /api/1/site/content_store/children - url parameter is affected  
โ€ข /api/1/site/content_store/item - url parameter is affected  
[-] Solution:  
Upgrade to version 4.0.3, 3.1.28, or later.  
[-] Disclosure Timeline:  
[22/11/2022] - Vendor notified  
[24/03/2023] - Fixed versions released  
[03/08/2023] - CVE number assigned  
[23/08/2023] - Publication of this advisory  
[-] CVE Reference:  
The Common Vulnerabilities and Exposures project (  
has assigned the name CVE-2023-4136 to these vulnerabilities.  
[-] Credits:  
Vulnerabilities discovered by Egidio Romano, working with IMQ Minded   
[-] Original Advisory:  
[-] Other References: