Latest craftcms craft cms Vulnerabilities

CVE-2023-36260
An issue discovered in Craft CMS version 4.6.1.1 allows remote attackers to cause a denial of service (DoS) via crafted string to Feed-Me Name and Feed-Me URL fields due to saving a feed using an Asse...
composer/craftcms/cms<4.6.2
Craftcms Craft Cms<4.6.1.1
CVE-2023-36259
Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation.
composer/superbig/craft-audit<3.0.2
Craftcms Craft Cms<3.0.2
CVE-2024-21622
Craft CMS Privilege Escalation
composer/craftcms/cms>=3.0.0<=3.9.5
composer/craftcms/cms>=4.0.0-RC1<=4.5.10
Craftcms Craft Cms>=3.0.0<3.9.6
Craftcms Craft Cms>=4.0.0<=4.5.15
CVE-2023-41892
Craft CMS Remote Code Execution vulnerability
Craftcms Craft Cms>=4.4.0<4.4.15
composer/craftcms/cms>=4.0.0-RC1<=4.4.14
CVE-2023-40035
### Summary Bypassing the validatePath function can lead to potential Remote Code Execution (Post-authentication, ALLOW_ADMIN_CHANGES=true) ### Details In bootstrap.php, the SystemPaths path is set ...
Craftcms Craft Cms>=3.0.0<3.8.15
Craftcms Craft Cms>=4.0.0<4.4.15
Craftcms Craft Cms=4.0.0-rc1
CVE-2023-33495
Craft CMS through 4.4.9 is vulnerable to HTML Injection.
composer/craftcms/cms<=4.4.9
Craftcms Craft Cms<=4.4.9
CVE-2023-30179
** DISPUTED ** CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo L...
Craftcms Craft Cms=3.7.59
composer/craftcms/cms<4.4.2
=3.7.59
CVE-2023-2817
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a...
Craftcms Craft Cms<=4.4.11
composer/craftcms/cms>=4.0.0-RC1<4.4.12
composer/craftcms/cms<4.4.12
CVE-2023-33197
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.
Craftcms Craft Cms<4.4.6
composer/craftcms/cms>=4.0.0-RC1<=4.4.5
CVE-2023-33196
### Summary XSS can be triggered by review volumes ### PoC 1. Access setting tab 2. Create new assets 3. In assets name inject payload: "<script>alert(1337)</script> 4. Click Utiliti...
Craftcms Craft Cms=4.0.0-rc3
Craftcms Craft Cms=4.0.0-rc1
Craftcms Craft Cms=4.0.0-rc2
Craftcms Craft Cms>=4.0.1<4.4.7
Craftcms Craft Cms=4.0.0
composer/craftcms/cms>=4.0.0-RC1<=4.4.6
CVE-2023-33195
Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.
Craftcms Craft Cms>=4.3.0<4.4.6
CVE-2023-33194
### Summary The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. ### Details Old CVE fixed the XSS in label HTML but didn’t f...
Craftcms Craft Cms>=3.0.0<3.8.6
Craftcms Craft Cms>=4.0.1<4.4.6
Craftercms Craftercms=4.0.0
Craftercms Craftercms=4.0.0-rc1
Craftercms Craftercms=4.0.0-rc2
Craftercms Craftercms=4.0.0-rc3
CVE-2023-32679
Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty stri...
Craftcms Craft Cms>=4.0.0<4.4.6
composer/craftcms/cms>=4.0.0<4.4.6
CVE-2023-30130
An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.
Craftcms Craft Cms=3.8.1
composer/craftcms/cms<=3.8.1
CVE-2023-31144
Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue i...
Craftcms Craft Cms>=3.0.0<=3.8.3
Craftcms Craft Cms>=4.0.0<=4.4.3
composer/craftcms/cms>=4.0.0<=4.4.3
composer/craftcms/cms>=3.0.0<=3.8.3
CVE-2023-30177
CraftCMS prior to version 3.7.68 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.
composer/craftcms/cms<3.7.68
Craftcms Craft Cms=3.7.59
CVE-2023-23927
Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on t...
Craftcms Craft Cms<4.3.7
CVE-2022-37783
All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF...
Craftcms Craft Cms>=3.0.0<=3.7.32
CVE-2022-37246
Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label.
Craftcms Craft Cms=4.2.0.1
CVE-2022-37251
Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via Drafts.
Craftcms Craft Cms=4.2.0.1
CVE-2022-37247
Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields page.
Craftcms Craft Cms=4.2.0.1
CVE-2022-37248
Craftcms Craft Cms=4.2.0.1
CVE-2022-37250
Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount.
Craftcms Craft Cms=4.2.0.1
CVE-2022-29933
Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header t...
Craftcms Craft Cms<=3.7.36
CVE-2022-28378
Craft CMS before 3.7.29 allows XSS.
Craftcms Craft Cms<3.7.29
CVE-2021-41824
Craft CMS before 3.7.14 allows CSV injection.
Craftcms Craft Cms>=3.4.0<3.7.14
CVE-2021-27902
An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.
composer/craftcms/cms<3.6.0
Craftcms Craft Cms<3.6.0
CVE-2021-27903
An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker ...
Craftcms Craft Cms<3.6.7
CVE-2021-32470
Craft CMS before 3.6.13 has an XSS vulnerability.
composer/craftcms/cms<3.6.13
Craftcms Craft Cms<3.6.13
CVE-2020-19626
Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
Craftcms Craft Cms=3.1.31
composer/craftcms/cms<3.1.33
CVE-2020-9757
The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
Craftcms Craft Cms<3.3.0
CVE-2019-9554
In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI.
Craftcms Craft Cms=3.1.12
CVE-2019-15929
In Craft CMS before 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.
Craftcms Craft Cms<=3.1.7
composer/craftcms/cms<3.1.7
CVE-2019-17496
Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion.
composer/craftcms/cms<3.3.8
Craftcms Craft Cms<3.3.8
CVE-2019-14280
In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to ...
Craftcms Craft Cms>=2.0.2524<2.7.10
Craftcms Craft Cms>=3.0.0<3.2.6
CVE-2019-12823
Craft CMS before 3.1.31 does not properly filter XML feeds, thus allowing XSS.
composer/craftcms/cms<3.1.31
Craftcms Craft Cms<3.1.31
CVE-2018-20465
Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and cr...
Craftcms Craft Cms<=3.0.34
CVE-2018-20418
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
Craftcms Craft Cms=3.0.25

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203