| 0 |
| url |
VCID-3r9x-ax4j-3yha |
| vulnerability_id |
VCID-3r9x-ax4j-3yha |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Craft CMS before 3.7.29 allows XSS. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.7.29 |
| purl |
pkg:composer/craftcms/cms@3.7.29 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 1 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 2 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 3 |
| vulnerability |
VCID-8pjj-w8h7-p7ga |
|
| 4 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 5 |
| vulnerability |
VCID-cwm6-qf1f-2keb |
|
| 6 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 7 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 8 |
| vulnerability |
VCID-eecq-8t4y-kka3 |
|
| 9 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 10 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 11 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 12 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 13 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 14 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.29 |
|
|
| aliases |
CVE-2022-28378, GHSA-7xj5-fwqr-5378
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3r9x-ax4j-3yha |
|
| 1 |
| url |
VCID-41y2-tucq-ykaj |
| vulnerability_id |
VCID-41y2-tucq-ykaj |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@4.3.7 |
| purl |
pkg:composer/craftcms/cms@4.3.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2vn9-2cs3-vbg3 |
|
| 1 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 2 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 3 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 4 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 5 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 6 |
| vulnerability |
VCID-f7gc-cgka-tycr |
|
| 7 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 8 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 9 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 10 |
| vulnerability |
VCID-rvrz-498f-2uet |
|
| 11 |
| vulnerability |
VCID-wcx6-wed9-gub2 |
|
| 12 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.3.7 |
|
|
| aliases |
CVE-2023-23927, GHSA-qcrj-6ffc-v7hq
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-41y2-tucq-ykaj |
|
| 2 |
| url |
VCID-5pur-jy1x-gfhv |
| vulnerability_id |
VCID-5pur-jy1x-gfhv |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-33197, GHSA-6qjx-787v-6pxr
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5pur-jy1x-gfhv |
|
| 3 |
|
| 4 |
| url |
VCID-8pjj-w8h7-p7ga |
| vulnerability_id |
VCID-8pjj-w8h7-p7ga |
| summary |
Weak Password Recovery Mechanism for Forgotten Password
Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration). |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-29933, GHSA-5cjr-78cq-3wrg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8pjj-w8h7-p7ga |
|
| 5 |
|
| 6 |
| url |
VCID-adak-sn51-23gd |
| vulnerability_id |
VCID-adak-sn51-23gd |
| summary |
Craft CMS XSS Vulnerability
Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.3.8 |
| purl |
pkg:composer/craftcms/cms@3.3.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3r9x-ax4j-3yha |
|
| 1 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 2 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 3 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 4 |
| vulnerability |
VCID-8pjj-w8h7-p7ga |
|
| 5 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 6 |
| vulnerability |
VCID-cwm6-qf1f-2keb |
|
| 7 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 8 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 9 |
| vulnerability |
VCID-eecq-8t4y-kka3 |
|
| 10 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 11 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 12 |
| vulnerability |
VCID-n1z8-7a8m-rfcc |
|
| 13 |
| vulnerability |
VCID-nz6e-26rc-f3fa |
|
| 14 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 15 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 16 |
| vulnerability |
VCID-u4t8-gkkb-73bv |
|
| 17 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 18 |
| vulnerability |
VCID-xc5n-1vqa-tqaz |
|
| 19 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.3.8 |
|
|
| aliases |
CVE-2019-17496, GHSA-f3xr-q258-h7m9
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-adak-sn51-23gd |
|
| 7 |
| url |
VCID-cwm6-qf1f-2keb |
| vulnerability_id |
VCID-cwm6-qf1f-2keb |
| summary |
Craft CMS SQL injection vulnerability via the GraphQL API endpoint
Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/craftcms/cms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/craftcms/cms |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.7.32 |
| purl |
pkg:composer/craftcms/cms@3.7.32 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 1 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 2 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 3 |
| vulnerability |
VCID-8pjj-w8h7-p7ga |
|
| 4 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 5 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 6 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 7 |
| vulnerability |
VCID-eecq-8t4y-kka3 |
|
| 8 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 9 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 10 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 11 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 12 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 13 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.32 |
|
|
| aliases |
CVE-2024-37843, GHSA-hq4f-mv3q-8wcv
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cwm6-qf1f-2keb |
|
| 8 |
| url |
VCID-dz26-b2ts-puep |
| vulnerability_id |
VCID-dz26-b2ts-puep |
| summary |
Craft CMS Feed-Me
An issue discovered in Craft CMS version 4.6.1. allows remote attackers to cause a denial of service (DoS) via crafted string to Feed-Me Name and Feed-Me URL fields due to saving a feed using an Asset element type with no volume selected. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-36260, GHSA-6p78-f7h9-6838
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dz26-b2ts-puep |
|
| 9 |
| url |
VCID-ec34-nvn3-qbcb |
| vulnerability_id |
VCID-ec34-nvn3-qbcb |
| summary |
Craft CMS vulnerable to Remote Code Execution via validatePath bypass
Bypassing the validatePath function can lead to potential Remote Code Execution
(Post-authentication, ALLOW_ADMIN_CHANGES=true) |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-40035, GHSA-44wr-rmwq-3phw
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ec34-nvn3-qbcb |
|
| 10 |
| url |
VCID-eecq-8t4y-kka3 |
| vulnerability_id |
VCID-eecq-8t4y-kka3 |
| summary |
Craft CMS discloses password hashes
All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-37783, GHSA-h972-v458-m892
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-eecq-8t4y-kka3 |
|
| 11 |
| url |
VCID-hm7h-7cu3-8be1 |
| vulnerability_id |
VCID-hm7h-7cu3-8be1 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Craft is a CMS for creating custom digital experiences on the web. The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-33194, GHSA-3wxg-w96j-8hq9
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hm7h-7cu3-8be1 |
|
| 12 |
| url |
VCID-jhen-vhqx-n7dr |
| vulnerability_id |
VCID-jhen-vhqx-n7dr |
| summary |
Improper Privilege Management
Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-21622, GHSA-j5g9-j7r4-6qvx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jhen-vhqx-n7dr |
|
| 13 |
| url |
VCID-n1z8-7a8m-rfcc |
| vulnerability_id |
VCID-n1z8-7a8m-rfcc |
| summary |
Craft CMS Remote Code Injection
An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session). |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.6.7 |
| purl |
pkg:composer/craftcms/cms@3.6.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3r9x-ax4j-3yha |
|
| 1 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 2 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 3 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 4 |
| vulnerability |
VCID-8pjj-w8h7-p7ga |
|
| 5 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 6 |
| vulnerability |
VCID-c9mw-1at1-ebaz |
|
| 7 |
| vulnerability |
VCID-cwm6-qf1f-2keb |
|
| 8 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 9 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 10 |
| vulnerability |
VCID-eecq-8t4y-kka3 |
|
| 11 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 12 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 13 |
| vulnerability |
VCID-nz6e-26rc-f3fa |
|
| 14 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 15 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 16 |
| vulnerability |
VCID-u4t8-gkkb-73bv |
|
| 17 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 18 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.6.7 |
|
|
| aliases |
CVE-2021-27903, GHSA-x2j7-6hxm-87p3
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n1z8-7a8m-rfcc |
|
| 14 |
| url |
VCID-nz6e-26rc-f3fa |
| vulnerability_id |
VCID-nz6e-26rc-f3fa |
| summary |
Cross-site Scripting
Craft CMS has an XSS vulnerability. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.6.13 |
| purl |
pkg:composer/craftcms/cms@3.6.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3r9x-ax4j-3yha |
|
| 1 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 2 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 3 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 4 |
| vulnerability |
VCID-8pjj-w8h7-p7ga |
|
| 5 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 6 |
| vulnerability |
VCID-c9mw-1at1-ebaz |
|
| 7 |
| vulnerability |
VCID-cwm6-qf1f-2keb |
|
| 8 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 9 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 10 |
| vulnerability |
VCID-eecq-8t4y-kka3 |
|
| 11 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 12 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 13 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 14 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 15 |
| vulnerability |
VCID-u4t8-gkkb-73bv |
|
| 16 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 17 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.6.13 |
|
|
| aliases |
CVE-2021-32470, GHSA-h2rj-8wgg-mm43
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nz6e-26rc-f3fa |
|
| 15 |
| url |
VCID-qcwp-su57-9fa1 |
| vulnerability_id |
VCID-qcwp-su57-9fa1 |
| summary |
Improper Control of Generation of Code ('Code Injection')
CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-30179, GHSA-3x74-v64j-qc3f
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qcwp-su57-9fa1 |
|
| 16 |
| url |
VCID-s5v6-e631-17f5 |
| vulnerability_id |
VCID-s5v6-e631-17f5 |
| summary |
CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter
An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://craftcms.com |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://craftcms.com |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://craftcms.com/ |
| reference_id |
craftcms.com |
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-24T16:00:57Z/ |
|
|
| url |
https://craftcms.com/ |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-30130, GHSA-fjx5-xm7q-whvj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s5v6-e631-17f5 |
|
| 17 |
| url |
VCID-u4t8-gkkb-73bv |
| vulnerability_id |
VCID-u4t8-gkkb-73bv |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms/cms. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.7.29 |
| purl |
pkg:composer/craftcms/cms@3.7.29 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 1 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 2 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 3 |
| vulnerability |
VCID-8pjj-w8h7-p7ga |
|
| 4 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 5 |
| vulnerability |
VCID-cwm6-qf1f-2keb |
|
| 6 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 7 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 8 |
| vulnerability |
VCID-eecq-8t4y-kka3 |
|
| 9 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 10 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 11 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 12 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 13 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 14 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.29 |
|
|
| aliases |
GHSA-wf98-vxv9-jqfv, GMS-2022-790
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u4t8-gkkb-73bv |
|
| 18 |
| url |
VCID-vbz3-3rqd-3fh6 |
| vulnerability_id |
VCID-vbz3-3rqd-3fh6 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-30177, GHSA-wv7j-rc2q-9j67
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vbz3-3rqd-3fh6 |
|
| 19 |
| url |
VCID-xc5n-1vqa-tqaz |
| vulnerability_id |
VCID-xc5n-1vqa-tqaz |
| summary |
Craft CMS Cross-site Scripting Vulnerability
An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.6.0 |
| purl |
pkg:composer/craftcms/cms@3.6.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3r9x-ax4j-3yha |
|
| 1 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 2 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 3 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 4 |
| vulnerability |
VCID-8pjj-w8h7-p7ga |
|
| 5 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 6 |
| vulnerability |
VCID-c9mw-1at1-ebaz |
|
| 7 |
| vulnerability |
VCID-cwm6-qf1f-2keb |
|
| 8 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 9 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 10 |
| vulnerability |
VCID-eecq-8t4y-kka3 |
|
| 11 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 12 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 13 |
| vulnerability |
VCID-n1z8-7a8m-rfcc |
|
| 14 |
| vulnerability |
VCID-nz6e-26rc-f3fa |
|
| 15 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 16 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 17 |
| vulnerability |
VCID-u4t8-gkkb-73bv |
|
| 18 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 19 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.6.0 |
|
|
| aliases |
CVE-2021-27902, GHSA-3jxh-789f-p7m6
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xc5n-1vqa-tqaz |
|
| 20 |
| url |
VCID-xv52-rc7v-yba8 |
| vulnerability_id |
VCID-xv52-rc7v-yba8 |
| summary |
Injection Vulnerability
The `SEOmatic` component for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the `metacontainers` controller. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.3.0 |
| purl |
pkg:composer/craftcms/cms@3.3.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3r9x-ax4j-3yha |
|
| 1 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 2 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 3 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 4 |
| vulnerability |
VCID-8pjj-w8h7-p7ga |
|
| 5 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 6 |
| vulnerability |
VCID-adak-sn51-23gd |
|
| 7 |
| vulnerability |
VCID-cwm6-qf1f-2keb |
|
| 8 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 9 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 10 |
| vulnerability |
VCID-eecq-8t4y-kka3 |
|
| 11 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 12 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 13 |
| vulnerability |
VCID-n1z8-7a8m-rfcc |
|
| 14 |
| vulnerability |
VCID-nz6e-26rc-f3fa |
|
| 15 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 16 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 17 |
| vulnerability |
VCID-u4t8-gkkb-73bv |
|
| 18 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 19 |
| vulnerability |
VCID-xc5n-1vqa-tqaz |
|
| 20 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.3.0 |
|
|
| aliases |
CVE-2020-9757, GHSA-6q4j-8pjm-5mgc
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xv52-rc7v-yba8 |
|
| 21 |
| url |
VCID-ymw8-mvrz-e7bc |
| vulnerability_id |
VCID-ymw8-mvrz-e7bc |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-2817, GHSA-7x94-jx75-3gh6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ymw8-mvrz-e7bc |
|