Search for packages
| purl | pkg:composer/craftcms/cms@2.6.3001 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3twn-e7up-2ugq
Aliases: CVE-2018-20465 GHSA-j7fx-v37j-v3w7 |
Missing Encryption of Sensitive Data Craft CMS allows remote authenticated administrators to read sensitive information via server-side template injection which causes a cleartext username and password to be displayed in a URI field. |
Affected by 4 other vulnerabilities. |
|
VCID-n1z8-7a8m-rfcc
Aliases: CVE-2021-27903 GHSA-x2j7-6hxm-87p3 |
Craft CMS Remote Code Injection An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session). |
Affected by 2 other vulnerabilities. |
|
VCID-nz6e-26rc-f3fa
Aliases: CVE-2021-32470 GHSA-h2rj-8wgg-mm43 |
Cross-site Scripting Craft CMS has an XSS vulnerability. |
Affected by 1 other vulnerability. |
|
VCID-xc5n-1vqa-tqaz
Aliases: CVE-2021-27902 GHSA-3jxh-789f-p7m6 |
Craft CMS Cross-site Scripting Vulnerability An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads. |
Affected by 3 other vulnerabilities. |
|
VCID-xv52-rc7v-yba8
Aliases: CVE-2020-9757 GHSA-6q4j-8pjm-5mgc |
Injection Vulnerability The `SEOmatic` component for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the `metacontainers` controller. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-gbf2-3kde-kkc4 | Injection Vulnerability Craft CMS allows remote attackers to execute arbitrary PHP code by using the `Assets->Upload files` screen and then the `Replace it` option, because this allows a `.jpg` file to have embedded PHP code, and then be renamed to a `.php` extension. |
CVE-2018-3814
GHSA-r342-vjc4-wrmj |