CVE-2023-36260 – The Feed Me plugin 4.6.1 for Craft CMS contains... (How to Fix)

Q: What is the severity of CVE-2023-36260?

CVE-2023-36260 has a CVSS score of 7.5 (HIGH). The Feed Me plugin 4.6.1 for Craft CMS contains a denial of service vulnerability where remote attackers can submit crafted strings to Feed-Me Name and URL fields, causing the system to crash when saving feeds with Asset element types without selected volumes. This affects Craft CMS installations using the vulnerable Feed Me plugin version.

📋 TL;DR

The Feed Me plugin 4.6.1 for Craft CMS contains a denial of service vulnerability where remote attackers can submit crafted strings to Feed-Me Name and URL fields, causing the system to crash when saving feeds with Asset element types without selected volumes. This affects Craft CMS installations using the vulnerable Feed Me plugin version.

💻 Affected Systems

Products:

Craft CMS Feed Me plugin

Versions: 4.6.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Craft CMS installations with Feed Me plugin enabled. The vulnerability requires the Asset element type feature to be accessible.

📦 What is this software?

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability requiring manual intervention to restore functionality, potentially disrupting website operations and business continuity.

🟠

Likely Case

Temporary service disruption affecting feed processing functionality, requiring administrator intervention to clear problematic feeds.

🟢

If Mitigated

Minimal impact with proper input validation and monitoring in place, allowing quick detection and remediation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to feed creation/modification functionality. The commit referenced in CVE notes may not directly address security according to third-party analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check for versions after 4.6.1

Vendor Advisory: https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28

Restart Required: No

Instructions:

1. Update Feed Me plugin to latest version via Craft CMS admin panel or composer. 2. Verify update completed successfully. 3. Test feed creation functionality.

🔧 Temporary Workarounds

Disable Asset Element Type

all

Temporarily disable or restrict access to Asset element type functionality in Feed Me plugin settings

Input Validation

all

Implement additional input validation for Feed-Me Name and URL fields

🧯 If You Can't Patch

Restrict access to feed management functionality to trusted administrators only
Implement web application firewall rules to block suspicious feed-related requests

🔍 How to Verify

Check if Vulnerable:

Check Feed Me plugin version in Craft CMS admin panel or via composer show craftcms/feed-me

Check Version:

composer show craftcms/feed-me | grep version

Verify Fix Applied:

Verify plugin version is updated beyond 4.6.1 and test feed creation with Asset element type

📡 Detection & Monitoring

Log Indicators:

Multiple failed feed save attempts
Error logs mentioning Asset element type or volume selection
Unusual feed creation patterns

Network Indicators:

Repeated POST requests to feed creation endpoints with crafted strings

SIEM Query:

source="craft_cms_logs" AND (message="*Asset*" OR message="*feed*error*")

📊 Metadata

CVE ID: CVE-2023-36260

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-74

Published: January 30, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36260, you might also want to check these: