Back

Critical XSS Vulnerability in CiviCRM and PostfixAdmin Affecting Multiple Ubuntu Releases

Severity: High (Score: 70.5)

Sources: Linuxsecurity

Summary

A critical cross-site scripting (XSS) vulnerability, CVE-2023-28447, affects CiviCRM and PostfixAdmin across several Ubuntu versions, including 22.04 LTS, 20.04 LTS, 18.04 LTS, 16.04 LTS, and 24.04 LTS. Discovered by Takuya Aramaki, the flaw allows attackers to execute malicious JavaScript in users' browsers through specially crafted input. The vulnerability was first published on March 28, 2023, with a proof of concept available shortly after. Ubuntu has released updates to mitigate this issue, and users are advised to update their systems promptly. The problem is particularly concerning due to its potential for exploitation in environments using these applications. The advisory emphasizes the importance of applying the updates to prevent possible attacks. Key Points: • CVE-2023-28447 affects CiviCRM and PostfixAdmin across multiple Ubuntu versions. • Attackers can exploit the vulnerability to execute malicious JavaScript in users' browsers. • Users are urged to update their systems immediately to mitigate the risk.

Key Entities

  • XSS (vulnerability)
  • CVE-2023-28447 (cve)
  • Cwe-79 - Cross-site Scripting (xss) (cwe)
  • T1059.007 - JavaScript (mitre_attack)
  • CiviCRM (platform)
  • PostfixAdmin (platform)
  • Smarty (platform)
  • Ubuntu (company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed