{"id":"CVE-2023-36260","details":"An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about code provided by the Craft CMS product; it is only a report about the Feed Me plugin. NOTE: a third-party report states that commit b5d6ede51848349bd91bc95fec288b6793f15e28 has \"nothing to do with security.\"","aliases":["GHSA-6p78-f7h9-6838"],"modified":"2026-04-10T05:01:36.364197Z","published":"2024-01-30T09:15:47.440Z","references":[{"type":"ADVISORY","url":"https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D"},{"type":"FIX","url":"https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28"},{"type":"FIX","url":"https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/craftcms/feed-me","events":[{"introduced":"0"},{"fixed":"b5d6ede51848349bd91bc95fec288b6793f15e28"}]},{"type":"GIT","repo":"https://github.com/craftcms/feed-me","events":[{"introduced":"0"},{"fixed":"b5d6ede51848349bd91bc95fec288b6793f15e28"}]}],"versions":["1.4.0","1.4.1","1.4.10","1.4.11","1.4.12","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.4.9","2.0.0","2.0.1","2.0.10","2.0.11","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","3.0.0","3.0.0-beta.1","3.0.0-beta.10","3.0.0-beta.11","3.0.0-beta.12","3.0.0-beta.13","3.0.0-beta.14","3.0.0-beta.15","3.0.0-beta.16","3.0.0-beta.17","3.0.0-beta.18","3.0.0-beta.19","3.0.0-beta.2","3.0.0-beta.20","3.0.0-beta.21","3.0.0-beta.22","3.0.0-beta.23","3.0.0-beta.24","3.0.0-beta.25","3.0.0-beta.27","3.0.0-beta.28","3.0.0-beta.29","3.0.0-beta.3","3.0.0-beta.30","3.0.0-beta.4","3.0.0-beta.5","3.0.0-beta.6","3.0.0-beta.7","3.0.0-beta.8","3.0.0-beta.9","3.0.1","3.0.2","3.0.2.1","3.1.0","3.1.1","3.1.10","3.1.11","3.1.12","3.1.13","3.1.14","3.1.15","3.1.16","3.1.17","3.1.2","3.1.3","3.1.4","3.1.5","3.1.6","3.1.7","3.1.8","3.1.9","4.4.0","4.4.3","4.5.0","4.5.1","4.5.2","4.5.3","4.5.4","4.6.0","4.6.1","4.6.1.1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1.1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-36260.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}