Search for packages
| purl | pkg:composer/craftcms/cms@2.6.2989 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3r9x-ax4j-3yha
Aliases: CVE-2022-28378 GHSA-7xj5-fwqr-5378 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft CMS before 3.7.29 allows XSS. |
Affected by 1 other vulnerability. |
|
VCID-3twn-e7up-2ugq
Aliases: CVE-2018-20465 GHSA-j7fx-v37j-v3w7 |
Missing Encryption of Sensitive Data Craft CMS allows remote authenticated administrators to read sensitive information via server-side template injection which causes a cleartext username and password to be displayed in a URI field. |
Affected by 7 other vulnerabilities. |
|
VCID-8pjj-w8h7-p7ga
Aliases: CVE-2022-29933 GHSA-5cjr-78cq-3wrg |
Weak Password Recovery Mechanism for Forgotten Password Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration). |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-n1z8-7a8m-rfcc
Aliases: CVE-2021-27903 GHSA-x2j7-6hxm-87p3 |
Craft CMS Remote Code Injection An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session). |
Affected by 5 other vulnerabilities. |
|
VCID-nz6e-26rc-f3fa
Aliases: CVE-2021-32470 GHSA-h2rj-8wgg-mm43 |
Cross-site Scripting Craft CMS has an XSS vulnerability. |
Affected by 4 other vulnerabilities. |
|
VCID-u4t8-gkkb-73bv
Aliases: GHSA-wf98-vxv9-jqfv GMS-2022-790 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms/cms. |
Affected by 1 other vulnerability. |
|
VCID-xc5n-1vqa-tqaz
Aliases: CVE-2021-27902 GHSA-3jxh-789f-p7m6 |
Craft CMS Cross-site Scripting Vulnerability An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads. |
Affected by 6 other vulnerabilities. |
|
VCID-xv52-rc7v-yba8
Aliases: CVE-2020-9757 GHSA-6q4j-8pjm-5mgc |
Injection Vulnerability The `SEOmatic` component for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the `metacontainers` controller. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||