Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/craftcms/cms@4.0.0
Typecomposer
Namespacecraftcms
Namecms
Version4.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.3.7
Latest_non_vulnerable_version5.9.18
Affected_by_vulnerabilities
0
url VCID-6hcd-ayyh-3fdb
vulnerability_id VCID-6hcd-ayyh-3fdb
summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms/cms.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442
2
reference_url https://github.com/craftcms/cms/commit/e2f7e7b7d86a0afa54ce855375d13c7760670764
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/e2f7e7b7d86a0afa54ce855375d13c7760670764
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-31144
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-31144
4
reference_url https://github.com/advisories/GHSA-j4mx-98hw-6rv6
reference_id GHSA-j4mx-98hw-6rv6
reference_type
scores
url https://github.com/advisories/GHSA-j4mx-98hw-6rv6
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-j4mx-98hw-6rv6
reference_id GHSA-j4mx-98hw-6rv6
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-j4mx-98hw-6rv6
fixed_packages
0
url pkg:composer/craftcms/cms@4.4.4
purl pkg:composer/craftcms/cms@4.4.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.4
aliases CVE-2023-31144, GHSA-j4mx-98hw-6rv6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6hcd-ayyh-3fdb
1
url VCID-wcx6-wed9-gub2
vulnerability_id VCID-wcx6-wed9-gub2
summary 
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/releases/tag/4.4.6
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/4.4.6
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-32679
reference_id CVE-2023-32679
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-32679
3
reference_url https://github.com/advisories/GHSA-vqxf-r9ph-cc9c
reference_id GHSA-vqxf-r9ph-cc9c
reference_type
scores
url https://github.com/advisories/GHSA-vqxf-r9ph-cc9c
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c
reference_id GHSA-vqxf-r9ph-cc9c
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c
fixed_packages
0
url pkg:composer/craftcms/cms@4.4.6
purl pkg:composer/craftcms/cms@4.4.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2vn9-2cs3-vbg3
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6
aliases CVE-2023-32679, GHSA-vqxf-r9ph-cc9c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wcx6-wed9-gub2
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.0.0