Title: Stored XSS in User Addresses Title in Craft CMS
CVE ID: CVE-2022-37250
CVSSv3 Base Score: 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vendor: Craft CMS
Products: Craft CMS
Advisory Release Date: 7 Sep 2022
Advisory URL: https://labs.integrity.pt/advisories/cve-2022-37250
Credits: Discovery by Gil Correia <gil.correia[at]devoteam.com>
For this XSS the attacker needs to create a new user and associate the Field “Addresses” to the new user.
From there, the attacker should go to the path /admin/myaccount, select the new user and Add an address. Now the title should contain the new xss payload, and hit the save button.