Search for packages
| purl | pkg:composer/craftcms/cms@3.1.28 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-27rw-tqt8-b3cw
Aliases: CVE-2023-2817 GHSA-7x94-jx75-3gh6 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. |
Affected by 47 other vulnerabilities. |
|
VCID-461m-1bs4-h3h4
Aliases: CVE-2020-9757 GHSA-6q4j-8pjm-5mgc |
Affected by 25 other vulnerabilities. |
|
|
VCID-4nsm-ywbw-6khr
Aliases: CVE-2019-17496 GHSA-f3xr-q258-h7m9 |
Affected by 24 other vulnerabilities. |
|
|
VCID-5h73-3z9j-xqb8
Aliases: CVE-2023-40035 GHSA-44wr-rmwq-3phw |
Craft CMS vulnerable to Remote Code Execution via validatePath bypass Bypassing the validatePath function can lead to potential Remote Code Execution (Post-authentication, ALLOW_ADMIN_CHANGES=true) |
Affected by 10 other vulnerabilities. Affected by 45 other vulnerabilities. |
|
VCID-7ycr-xgy8-ruda
Aliases: CVE-2021-27902 GHSA-3jxh-789f-p7m6 |
Affected by 28 other vulnerabilities. |
|
|
VCID-82fq-7xbq-pkd4
Aliases: CVE-2023-33197 GHSA-6qjx-787v-6pxr |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. |
Affected by 50 other vulnerabilities. |
|
VCID-97dc-bwdp-ubb8
Aliases: CVE-2019-12823 GHSA-w5q4-q7wp-qww6 |
Affected by 27 other vulnerabilities. |
|
|
VCID-bhy3-udjf-ykez
Aliases: CVE-2023-23927 GHSA-qcrj-6ffc-v7hq |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7. |
Affected by 20 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
VCID-by8u-4u1h-w7gf
Aliases: CVE-2022-28378 GHSA-7xj5-fwqr-5378 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft CMS before 3.7.29 allows XSS. |
Affected by 23 other vulnerabilities. |
|
VCID-ddga-pq52-tybe
Aliases: CVE-2021-27903 GHSA-x2j7-6hxm-87p3 |
Affected by 27 other vulnerabilities. |
|
|
VCID-e4ax-kekp-xud6
Aliases: CVE-2023-30179 GHSA-3x74-v64j-qc3f |
Improper Control of Generation of Code ('Code Injection') CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. |
Affected by 55 other vulnerabilities. |
|
VCID-gbct-7xjg-quf4
Aliases: CVE-2023-31144 GHSA-j4mx-98hw-6rv6 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms/cms. |
Affected by 16 other vulnerabilities. Affected by 54 other vulnerabilities. |
|
VCID-gqy1-6u5a-hkeu
Aliases: CVE-2023-33495 GHSA-m3v5-gjj9-rg24 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft CMS through 4.4.9 is vulnerable to HTML Injection. |
Affected by 48 other vulnerabilities. |
|
VCID-jj4x-bfuc-c7e4
Aliases: CVE-2022-37783 GHSA-h972-v458-m892 |
Affected by 20 other vulnerabilities. |
|
|
VCID-k2hd-wks4-ducu
Aliases: CVE-2024-37843 GHSA-hq4f-mv3q-8wcv |
Affected by 22 other vulnerabilities. |
|
|
VCID-ksxr-4r5f-w7ck
Aliases: CVE-2023-36260 GHSA-6p78-f7h9-6838 |
Craft CMS Feed-Me An issue discovered in Craft CMS version 4.6.1. allows remote attackers to cause a denial of service (DoS) via crafted string to Feed-Me Name and Feed-Me URL fields due to saving a feed using an Asset element type with no volume selected. |
Affected by 0 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-kts7-xtbb-tqgy
Aliases: CVE-2023-33194 GHSA-3wxg-w96j-8hq9 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a CMS for creating custom digital experiences on the web. The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6. |
Affected by 15 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-nyqy-y3dw-eyer
Aliases: CVE-2025-35939 GHSA-7vrx-9684-xrf2 |
Affected by 40 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
|
VCID-pggs-g9c8-w7d1
Aliases: CVE-2025-68456 GHSA-v64r-7wg9-23pr |
Unauthenticated Craft CMS users can trigger a database backup Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.Resources: https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md |
Affected by 33 other vulnerabilities. Affected by 40 other vulnerabilities. |
|
VCID-r8ea-btqd-uuac
Aliases: CVE-2023-30130 GHSA-fjx5-xm7q-whvj |
CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. |
Affected by 17 other vulnerabilities. |
|
VCID-sm2a-qs2r-w3c6
Aliases: CVE-2022-29933 GHSA-5cjr-78cq-3wrg |
Weak Password Recovery Mechanism for Forgotten Password Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration). |
Affected by 21 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-w9cn-xgye-jber
Aliases: CVE-2025-32432 GHSA-f3gw-9ww9-jmc3 |
Affected by 5 other vulnerabilities. Affected by 40 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
|
VCID-wx6u-ss6p-3ue3
Aliases: CVE-2024-56145 GHSA-2p6p-9rc9-62j9 |
Affected by 6 other vulnerabilities. Affected by 42 other vulnerabilities. Affected by 45 other vulnerabilities. |
|
|
VCID-x3mb-qyu8-n3hz
Aliases: GHSA-wf98-vxv9-jqfv GMS-2022-790 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms/cms. |
Affected by 23 other vulnerabilities. |
|
VCID-ytkk-yf5a-cud3
Aliases: CVE-2021-32470 GHSA-h2rj-8wgg-mm43 |
Affected by 26 other vulnerabilities. |
|
|
VCID-z48z-h23a-5qag
Aliases: CVE-2024-21622 GHSA-j5g9-j7r4-6qvx |
Improper Privilege Management Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions. |
Affected by 9 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-zdzh-bgs7-67dd
Aliases: CVE-2023-30177 GHSA-wv7j-rc2q-9j67 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name. |
Affected by 18 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||