VulnerableCode Package Details - pkg:composer/craftcms/cms@2.0.2540

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/craftcms/cms@2.0.2540

Essentials
History (13)

purl	pkg:composer/craftcms/cms@2.0.2540

Next non-vulnerable version	3.7.33
Latest non-vulnerable version	5.9.18
Risk	10.0

Vulnerabilities affecting this package (13)

Vulnerability	Summary	Fixed by
VCID-3n7p-999s-r3f3 Aliases: CVE-2017-8383 GHSA-7qq6-fgpw-xw45	File and Directory Information Exposure Craft CMS does not properly restrict viewing the contents of files in the `craft/app/` folder.	2.6.2975 Affected by 9 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.6.2976 Affected by 9 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-3r9x-ax4j-3yha Aliases: CVE-2022-28378 GHSA-7xj5-fwqr-5378	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft CMS before 3.7.29 allows XSS.	3.7.29 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-3twn-e7up-2ugq Aliases: CVE-2018-20465 GHSA-j7fx-v37j-v3w7	Missing Encryption of Sensitive Data Craft CMS allows remote authenticated administrators to read sensitive information via server-side template injection which causes a cleartext username and password to be displayed in a URI field.	3.0.35 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-8pjj-w8h7-p7ga Aliases: CVE-2022-29933 GHSA-5cjr-78cq-3wrg	Weak Password Recovery Mechanism for Forgotten Password Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).	3.7.36 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.7.37 Affected by 0 other vulnerabilities.
VCID-97zb-4cxh-7yah Aliases: CVE-2017-8385 GHSA-j27g-r58q-624w	Weak Password Recovery Mechanism for Forgotten Password Craft CMS does not prevent modification of the URL in a forgot-password email message.	2.6.2975 Affected by 9 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.6.2976 Affected by 9 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-dgvz-qam7-23c1 Aliases: CVE-2017-9516 GHSA-6pvw-hh48-jx7p	Cross-site Scripting Craft CMS allows for a potential XSS attack vector by uploading a malicious SVG file.	2.6.2982 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hz6m-gqvb-6kae Aliases: CVE-2017-8052 GHSA-xv5f-2997-qhrq	Cross-site Scripting Craft CMS allows XSS attacks.	2.6.2974 Affected by 12 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-mkab-fw34-ekh9 Aliases: CVE-2017-8384 GHSA-9mcw-mwxv-grwj	Cross-site Scripting Craft CMS allows XSS attacks because an array returned by `HttpRequestService::getSegments()` and `getActionSegments()` need not be zero-based.	2.6.2975 Affected by 9 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.6.2976 Affected by 9 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-n1z8-7a8m-rfcc Aliases: CVE-2021-27903 GHSA-x2j7-6hxm-87p3	Craft CMS Remote Code Injection An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session).	3.6.7 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-nz6e-26rc-f3fa Aliases: CVE-2021-32470 GHSA-h2rj-8wgg-mm43	Cross-site Scripting Craft CMS has an XSS vulnerability.	3.6.13 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-u4t8-gkkb-73bv Aliases: GHSA-wf98-vxv9-jqfv GMS-2022-790	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms/cms.	3.7.29 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-xc5n-1vqa-tqaz Aliases: CVE-2021-27902 GHSA-3jxh-789f-p7m6	Craft CMS Cross-site Scripting Vulnerability An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.	3.6.0 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-xv52-rc7v-yba8 Aliases: CVE-2020-9757 GHSA-6q4j-8pjm-5mgc	Injection Vulnerability The `SEOmatic` component for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the `metacontainers` controller.	3.3.0 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T01:45:43.108222+00:00	GitLab Importer	Affected by	VCID-8pjj-w8h7-p7ga	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2022-29933.yml	38.6.0
2026-06-06T01:39:38.398339+00:00	GitLab Importer	Affected by	VCID-u4t8-gkkb-73bv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/GMS-2022-790.yml	38.6.0
2026-06-06T01:39:28.990348+00:00	GitLab Importer	Affected by	VCID-3r9x-ax4j-3yha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2022-28378.yml	38.6.0
2026-06-06T00:47:26.327734+00:00	GitLab Importer	Affected by	VCID-xc5n-1vqa-tqaz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2021-27902.yml	38.6.0
2026-06-06T00:47:21.349439+00:00	GitLab Importer	Affected by	VCID-n1z8-7a8m-rfcc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2021-27903.yml	38.6.0
2026-06-06T00:36:22.522026+00:00	GitLab Importer	Affected by	VCID-nz6e-26rc-f3fa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2021-32470.yml	38.6.0
2026-06-04T20:27:50.053410+00:00	GitLab Importer	Affected by	VCID-xv52-rc7v-yba8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2020-9757.yml	38.6.0
2026-06-04T20:17:46.545583+00:00	GitLab Importer	Affected by	VCID-3twn-e7up-2ugq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2018-20465.yml	38.6.0
2026-06-04T20:08:10.591413+00:00	GitLab Importer	Affected by	VCID-dgvz-qam7-23c1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2017-9516.yml	38.6.0
2026-06-04T20:07:56.065966+00:00	GitLab Importer	Affected by	VCID-3n7p-999s-r3f3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2017-8383.yml	38.6.0
2026-06-04T20:07:55.433457+00:00	GitLab Importer	Affected by	VCID-mkab-fw34-ekh9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2017-8384.yml	38.6.0
2026-06-04T20:07:54.820368+00:00	GitLab Importer	Affected by	VCID-97zb-4cxh-7yah	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2017-8385.yml	38.6.0
2026-06-04T20:07:51.470940+00:00	GitLab Importer	Affected by	VCID-hz6m-gqvb-6kae	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2017-8052.yml	38.6.0