Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Craft_cms
(Craftcms)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 47 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-05-26 | CVE-2023-2817 | A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. | Craft_cms | 5.4 | ||
| 2023-06-20 | CVE-2023-33495 | Craft CMS through 4.4.9 is vulnerable to HTML Injection. | Craft_cms | 6.1 | ||
| 2023-08-23 | CVE-2023-40035 | Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution). This issue has been patched in version 4.4.15 and... | Craft_cms | 7.2 | ||
| 2023-05-27 | CVE-2023-33195 | Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6. | Craft_cms | 6.1 | ||
| 2023-05-26 | CVE-2023-33196 | Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7. | Craft_cms | 5.4 | ||
| 2023-05-26 | CVE-2023-33194 | Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6. | Craft_cms, Craftercms | 4.8 | ||
| 2023-05-26 | CVE-2023-33197 | Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. | Craft_cms | 5.4 | ||
| 2023-05-19 | CVE-2023-32679 | Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an... | Craft_cms | 7.2 | ||
| 2023-05-12 | CVE-2023-30130 | An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. | Craft_cms | 8.8 | ||
| 2023-05-09 | CVE-2023-31144 | Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4. | Craft_cms | 6.1 |