CVE-2022-37246 Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and on the line label: elementInfo.label.

An attacker can leverage this vulnerability to execute arbitrary script code in the user's browser session.

What's more, this vulnerability can be exploited to steal cookie-sensitive information. This includes information such as logged-in user's name, email, and password.

An attacker can exploit this vulnerability to access the system of an unsuspecting user.

The following versions are vulnerable:

* All versions prior to 4.2.0.1

What to do?

Update your production installation to the latest version.

Go to Settings > System > Updates and check for updates.

If you are using self-hosted WordPress or another CMS, then you need to update the CMS.

In order to update the CMS, contact the vendor or host responsible for the installation.

In a self-hosted setup, you can upgrade the CMS by following the CMS upgrade guide.

In a self-hosted setup, if you are using a plugin or something else that is not the responsibility of the CMS vendor, then you will have to upgrade it.

If you are using a hosting provider, then they usually have a mechanism in place to patch the vulnerable code.

In a hosting provider setup, you will have to contact the hosting provider to upgrade the CMS.

In any case, always make sure to update your software to keep yourself safe.

What's next?

If you are running a

4.2.0.1

If you are running a WordPress site, then you should update to the latest version.
If you are using a self-hosted CMS, then you need to upgrade it.
In a hosting provider setup, you will have to contact the hosting provider to upgrade the CMS.
For any other installation, make sure that you update your software and keep yourself safe!

References ! [CVE-2022-37246](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37246)

* **An attacker can leverage this vulnerability to execute arbitrary script code in the user's browser session.**
* **This vulnerability can be exploited to steal cookie-sensitive information. This includes information such as logged-in user's name, email, and password.**
* **An attacker can exploit this vulnerability to access the system of an unsuspecting user.**
* **The following versions are vulnerable:**
* **All versions prior to 4.2.0.1**
* **What to do?**
* **Update your production installation to the latest version.*
* **Go to Settings > System > Updates and check for updates.*

Timeline

Published on: 09/21/2022 15:15:00 UTC
Last modified on: 09/22/2022 18:34:00 UTC

References

• https://github.com/craftcms/cms/commit/1d5fdba23c84d6d09a8a980c7b6fc52fb93b679b
• https://labs.integrity.pt/advisories/cve-2022-37246/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37246