Search for packages
| purl | pkg:composer/craftcms/cms@3.0.0-beta.15 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-27rw-tqt8-b3cw
Aliases: CVE-2023-2817 GHSA-7x94-jx75-3gh6 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. |
Affected by 47 other vulnerabilities. |
|
VCID-461m-1bs4-h3h4
Aliases: CVE-2020-9757 GHSA-6q4j-8pjm-5mgc |
Affected by 25 other vulnerabilities. |
|
|
VCID-4nsm-ywbw-6khr
Aliases: CVE-2019-17496 GHSA-f3xr-q258-h7m9 |
Affected by 24 other vulnerabilities. |
|
|
VCID-7ycr-xgy8-ruda
Aliases: CVE-2021-27902 GHSA-3jxh-789f-p7m6 |
Affected by 28 other vulnerabilities. |
|
|
VCID-82fq-7xbq-pkd4
Aliases: CVE-2023-33197 GHSA-6qjx-787v-6pxr |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. |
Affected by 50 other vulnerabilities. |
|
VCID-97dc-bwdp-ubb8
Aliases: CVE-2019-12823 GHSA-w5q4-q7wp-qww6 |
Affected by 27 other vulnerabilities. |
|
|
VCID-bhy3-udjf-ykez
Aliases: CVE-2023-23927 GHSA-qcrj-6ffc-v7hq |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7. |
Affected by 20 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
VCID-by8u-4u1h-w7gf
Aliases: CVE-2022-28378 GHSA-7xj5-fwqr-5378 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft CMS before 3.7.29 allows XSS. |
Affected by 23 other vulnerabilities. |
|
VCID-ddga-pq52-tybe
Aliases: CVE-2021-27903 GHSA-x2j7-6hxm-87p3 |
Affected by 27 other vulnerabilities. |
|
|
VCID-e4ax-kekp-xud6
Aliases: CVE-2023-30179 GHSA-3x74-v64j-qc3f |
Improper Control of Generation of Code ('Code Injection') CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. |
Affected by 55 other vulnerabilities. |
|
VCID-gd9g-mju5-hbgy
Aliases: CVE-2019-15929 GHSA-wvr4-w6cw-4px8 |
Affected by 27 other vulnerabilities. |
|
|
VCID-gqy1-6u5a-hkeu
Aliases: CVE-2023-33495 GHSA-m3v5-gjj9-rg24 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft CMS through 4.4.9 is vulnerable to HTML Injection. |
Affected by 48 other vulnerabilities. |
|
VCID-k2hd-wks4-ducu
Aliases: CVE-2024-37843 GHSA-hq4f-mv3q-8wcv |
Affected by 22 other vulnerabilities. |
|
|
VCID-ksxr-4r5f-w7ck
Aliases: CVE-2023-36260 GHSA-6p78-f7h9-6838 |
Craft CMS Feed-Me An issue discovered in Craft CMS version 4.6.1. allows remote attackers to cause a denial of service (DoS) via crafted string to Feed-Me Name and Feed-Me URL fields due to saving a feed using an Asset element type with no volume selected. |
Affected by 0 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-nyqy-y3dw-eyer
Aliases: CVE-2025-35939 GHSA-7vrx-9684-xrf2 |
Affected by 40 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
|
VCID-r8ea-btqd-uuac
Aliases: CVE-2023-30130 GHSA-fjx5-xm7q-whvj |
CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. |
Affected by 17 other vulnerabilities. |
|
VCID-sm2a-qs2r-w3c6
Aliases: CVE-2022-29933 GHSA-5cjr-78cq-3wrg |
Weak Password Recovery Mechanism for Forgotten Password Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration). |
Affected by 21 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-w9cn-xgye-jber
Aliases: CVE-2025-32432 GHSA-f3gw-9ww9-jmc3 |
Affected by 5 other vulnerabilities. Affected by 40 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
|
VCID-x258-5jtv-jqex
Aliases: CVE-2023-36259 GHSA-v89q-c273-3p42 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation. |
Affected by 29 other vulnerabilities. |
|
VCID-x3mb-qyu8-n3hz
Aliases: GHSA-wf98-vxv9-jqfv GMS-2022-790 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms/cms. |
Affected by 23 other vulnerabilities. |
|
VCID-xrv1-v87w-ubfv
Aliases: CVE-2018-20465 GHSA-j7fx-v37j-v3w7 |
Missing Encryption of Sensitive Data Craft CMS allows remote authenticated administrators to read sensitive information via server-side template injection which causes a cleartext username and password to be displayed in a URI field. |
Affected by 28 other vulnerabilities. |
|
VCID-ytkk-yf5a-cud3
Aliases: CVE-2021-32470 GHSA-h2rj-8wgg-mm43 |
Affected by 26 other vulnerabilities. |
|
|
VCID-zdzh-bgs7-67dd
Aliases: CVE-2023-30177 GHSA-wv7j-rc2q-9j67 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name. |
Affected by 18 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||