Skip to main content

Statamic CVE-2023-48701

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-11-21 security-advisories@github.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 21, 2023 - 23:15 nvd
MEDIUM 6.1

DescriptionNVD

Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication. This issue has been patched on 3.4.15 and 4.36.0.

AnalysisAI

Statamic CMS is a Laravel and Git powered content management system (CMS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication. This issue has been patched on 3.4.15 and 4.36.0. Affected products include: Statamic.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-47129 CRITICAL
9.8 Nov 10

Statmic is a core Laravel content management system Composer package. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2023-36828 MEDIUM POC
5.4 Jul 05

Statamic is a flat-first, Laravel and Git powered content management system. Rated medium severity (CVSS 5.4), this vuln

CVE-2026-27593 CRITICAL
9.3 Feb 24

Password reset poisoning in Statamic CMS before 6.3.3/5.73.10 allows attackers to steal password reset tokens by manipul

CVE-2017-11422 HIGH
8.8 Jul 24

Statamic framework before 2.6.0 does not correctly check a session's permissions when the methods from a user's class ar

CVE-2026-27939 HIGH
8.8 Feb 27

Authenticated Statamic CMS users (versions 6.0.0-6.3.x) can bypass privilege escalation verification checks to gain unau

CVE-2023-48217 HIGH
8.8 Nov 14

Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. Rated high severity (CVSS 8.8), this

CVE-2018-19598 MEDIUM POC
4.8 Dec 19

Statamic 2.10.3 allows XSS via First Name or Last Name to the /users URI in an 'Add new user' request. Rated medium seve

CVE-2026-28426 HIGH
8.7 Feb 27

Statmatic is a Laravel and Git powered content management system (CMS). [CVSS 8.7 HIGH]

CVE-2026-25759 HIGH
8.7 Feb 11

Authenticated users with content creation permissions in Statamic CMS versions 6.0.0 through 6.2.2 can inject persistent

CVE-2026-27196 HIGH
8.1 Feb 21

Versions 5.73.8 and below in addition to 6.0.0-alpha.1 versions up to 6.3.1 is affected by cross-site scripting (xss) (C

CVE-2026-28425 HIGH
8.0 Feb 27

Remote code execution in Statmatic CMS versions prior to 5.73.11 and 6.4.0 allows authenticated users with control panel

CVE-2026-28423 MEDIUM
6.8 Feb 27

Statmatic is a Laravel and Git powered content management system (CMS). [CVSS 6.8 MEDIUM]

Share

CVE-2023-48701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy