Craft CMS 4.x (>=4.0.0-RC1 <4.17.0-beta.1) and 5.x (>=5.0.0-RC1 <5.9.0-beta.1) have multiple stored cross-site scripting vulnerabilities due to improper neutralization of input during web page generation. Specifically, settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template using {{ label|raw }}), enabling an authenticated administrator with allowAdminChanges enabled to inject malicious JavaScript into various UI elements such as section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels. This results in arbitrary JavaScript execution in other users' control panel sessions. The issue is fixed in versions 4.17.0-beta.1 and 5.9.0-beta.1.

An authenticated administrator with allowAdminChanges enabled can inject malicious JavaScript payloads into multiple UI elements, causing arbitrary script execution in other users' control panel sessions. This could lead to session hijacking, unauthorized actions, or other impacts associated with stored cross-site scripting in the administrative interface. The vulnerability requires high privileges (administrator) and user interaction (authenticated users accessing the control panel).

Fixed versions are available starting from 4.17.0-beta.1 and 5.9.0-beta.1. Users should upgrade to these or later versions to remediate the vulnerability. Since this is not a cloud service, patching the affected software is required. There is no vendor advisory content provided to indicate alternative mitigations or temporary fixes. Patch status is not explicitly confirmed beyond the fixed versions stated; therefore, verify with the vendor advisory for the latest remediation guidance.