CVE-2023-38904 in Netlify
Summary
by MITRE • 08/16/2023
A Cross Site Scripting (XSS) vulnerability in Netlify CMS v.2.10.192 allows a remote attacker to execute arbitrary code via a crafted payload to the body parameter of the new post function.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/20/2026
The vulnerability identified as CVE-2023-38904 represents a critical cross site scripting flaw within Netlify CMS version 2.10.192 that exposes the application to remote code execution risks. This vulnerability resides in the new post function where the body parameter fails to properly sanitize user input, creating an avenue for malicious actors to inject malicious scripts that can be executed within the context of other users' browsers. The flaw demonstrates characteristics consistent with CWE-79 - Improper Neutralization of Input During Web Page Generation into a Web Browser, which specifically addresses the failure to properly escape or validate user-supplied data before incorporating it into web responses.
The technical implementation of this vulnerability allows attackers to craft malicious payloads that, when processed through the CMS's new post functionality, can be stored and subsequently executed in the browsers of other users who access the affected content. This creates a persistent threat vector where a single compromised post can affect multiple users who view the content, making the vulnerability particularly dangerous in collaborative environments where multiple editors and administrators interact with the same content management system. The vulnerability operates at the application layer and requires no authentication to exploit, making it especially concerning for organizations that rely on Netlify CMS for their content management needs.
The operational impact of this vulnerability extends beyond simple script execution to encompass potential data theft, session hijacking, and further exploitation opportunities. When successful, attackers can leverage the XSS vector to steal cookies, access sensitive administrative functions, or redirect users to malicious sites that can harvest additional credentials or install malware. This vulnerability aligns with ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, as attackers can craft malicious posts that, when viewed by administrators or other users, can trigger malicious code execution. The vulnerability also maps to ATT&CK technique T1059.007 - Command and Scripting Interpreter: JavaScript, as the attack vector specifically targets JavaScript execution within web browsers.
Organizations utilizing Netlify CMS version 2.10.192 should immediately implement mitigations including input sanitization of all user-supplied content, particularly in the body parameter of post creation functions. The recommended approach involves implementing proper output encoding and validation mechanisms that prevent the execution of malicious scripts within the CMS interface. Additionally, organizations should consider implementing content security policies that restrict script execution and limit the potential impact of successful exploitation attempts. The most effective long-term solution involves upgrading to a patched version of Netlify CMS where the vulnerability has been addressed through proper input validation and sanitization mechanisms. Security teams should also implement monitoring for suspicious post creation activities and establish incident response procedures to quickly identify and remediate any exploitation attempts that may occur.