Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/craftcms/cms@4.4.6
Typecomposer
Namespacecraftcms
Namecms
Version4.4.6
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.4.7
Latest_non_vulnerable_version5.9.9
Affected_by_vulnerabilities
0
url VCID-2vn9-2cs3-vbg3
vulnerability_id VCID-2vn9-2cs3-vbg3
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
references
0
reference_url https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7
reference_id
reference_type
scores
url https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7
1
reference_url https://github.com/craftcms/cms/releases/tag/4.4.7
reference_id
reference_type
scores
url https://github.com/craftcms/cms/releases/tag/4.4.7
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-33196
reference_id CVE-2023-33196
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-33196
3
reference_url https://github.com/advisories/GHSA-cjmm-x9x9-m2w5
reference_id GHSA-cjmm-x9x9-m2w5
reference_type
scores
url https://github.com/advisories/GHSA-cjmm-x9x9-m2w5
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5
reference_id GHSA-cjmm-x9x9-m2w5
reference_type
scores
url https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5
fixed_packages
0
url pkg:composer/craftcms/cms@4.4.7
purl pkg:composer/craftcms/cms@4.4.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.7
aliases CVE-2023-33196, GHSA-cjmm-x9x9-m2w5
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2vn9-2cs3-vbg3
Fixing_vulnerabilities
0
url VCID-5pur-jy1x-gfhv
vulnerability_id VCID-5pur-jy1x-gfhv
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.
references
0
reference_url https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766
reference_id
reference_type
scores
url https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766
1
reference_url https://github.com/craftcms/cms/releases/tag/4.4.6
reference_id
reference_type
scores
url https://github.com/craftcms/cms/releases/tag/4.4.6
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-33197
reference_id CVE-2023-33197
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-33197
3
reference_url https://github.com/advisories/GHSA-6qjx-787v-6pxr
reference_id GHSA-6qjx-787v-6pxr
reference_type
scores
url https://github.com/advisories/GHSA-6qjx-787v-6pxr
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr
reference_id GHSA-6qjx-787v-6pxr
reference_type
scores
url https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr
fixed_packages
0
url pkg:composer/craftcms/cms@4.4.6
purl pkg:composer/craftcms/cms@4.4.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2vn9-2cs3-vbg3
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6
aliases CVE-2023-33197, GHSA-6qjx-787v-6pxr
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5pur-jy1x-gfhv
1
url VCID-hm7h-7cu3-8be1
vulnerability_id VCID-hm7h-7cu3-8be1
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Craft is a CMS for creating custom digital experiences on the web. The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.
references
0
reference_url https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888
reference_id
reference_type
scores
url https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888
1
reference_url https://github.com/craftcms/cms/releases/tag/4.4.6
reference_id
reference_type
scores
url https://github.com/craftcms/cms/releases/tag/4.4.6
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-33194
reference_id CVE-2023-33194
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-33194
3
reference_url https://github.com/advisories/GHSA-3wxg-w96j-8hq9
reference_id GHSA-3wxg-w96j-8hq9
reference_type
scores
url https://github.com/advisories/GHSA-3wxg-w96j-8hq9
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9
reference_id GHSA-3wxg-w96j-8hq9
reference_type
scores
url https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9
fixed_packages
0
url pkg:composer/craftcms/cms@3.8.6
purl pkg:composer/craftcms/cms@3.8.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.8.6
1
url pkg:composer/craftcms/cms@4.4.6
purl pkg:composer/craftcms/cms@4.4.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2vn9-2cs3-vbg3
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6
aliases CVE-2023-33194, GHSA-3wxg-w96j-8hq9
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hm7h-7cu3-8be1
2
url VCID-rvrz-498f-2uet
vulnerability_id VCID-rvrz-498f-2uet
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.
references
0
reference_url https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f
reference_id
reference_type
scores
url https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f
1
reference_url https://github.com/craftcms/cms/releases/tag/4.4.6
reference_id
reference_type
scores
url https://github.com/craftcms/cms/releases/tag/4.4.6
2
reference_url https://github.com/advisories/GHSA-qpgm-gjgf-8c2x
reference_id GHSA-qpgm-gjgf-8c2x
reference_type
scores
url https://github.com/advisories/GHSA-qpgm-gjgf-8c2x
3
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-qpgm-gjgf-8c2x
reference_id GHSA-qpgm-gjgf-8c2x
reference_type
scores
url https://github.com/craftcms/cms/security/advisories/GHSA-qpgm-gjgf-8c2x
fixed_packages
0
url pkg:composer/craftcms/cms@4.4.6
purl pkg:composer/craftcms/cms@4.4.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2vn9-2cs3-vbg3
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6
aliases CVE-2023-33195, GHSA-qpgm-gjgf-8c2x
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rvrz-498f-2uet
3
url VCID-wcx6-wed9-gub2
vulnerability_id VCID-wcx6-wed9-gub2
summary 
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://github.com/craftcms/cms/releases/tag/4.4.6
reference_id
reference_type
scores
url https://github.com/craftcms/cms/releases/tag/4.4.6
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-32679
reference_id CVE-2023-32679
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-32679
2
reference_url https://github.com/advisories/GHSA-vqxf-r9ph-cc9c
reference_id GHSA-vqxf-r9ph-cc9c
reference_type
scores
url https://github.com/advisories/GHSA-vqxf-r9ph-cc9c
3
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c
reference_id GHSA-vqxf-r9ph-cc9c
reference_type
scores
url https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c
fixed_packages
0
url pkg:composer/craftcms/cms@4.4.6
purl pkg:composer/craftcms/cms@4.4.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2vn9-2cs3-vbg3
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6
aliases CVE-2023-32679, GHSA-vqxf-r9ph-cc9c
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wcx6-wed9-gub2
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6