| 0 |
| url |
VCID-3r9x-ax4j-3yha |
| vulnerability_id |
VCID-3r9x-ax4j-3yha |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Craft CMS before 3.7.29 allows XSS. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.7.29 |
| purl |
pkg:composer/craftcms/cms@3.7.29 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 1 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 2 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 3 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 4 |
| vulnerability |
VCID-8pjj-w8h7-p7ga |
|
| 5 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 6 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 7 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 8 |
| vulnerability |
VCID-cwm6-qf1f-2keb |
|
| 9 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 10 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 11 |
| vulnerability |
VCID-eecq-8t4y-kka3 |
|
| 12 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 13 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 14 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 15 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 16 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 17 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 18 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 19 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 20 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 21 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 22 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.29 |
|
|
| aliases |
CVE-2022-28378, GHSA-7xj5-fwqr-5378
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3r9x-ax4j-3yha |
|
| 1 |
| url |
VCID-41y2-tucq-ykaj |
| vulnerability_id |
VCID-41y2-tucq-ykaj |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.7.64 |
| purl |
pkg:composer/craftcms/cms@3.7.64 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 1 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 2 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 3 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 4 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 5 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 6 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 7 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 8 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 9 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 10 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 11 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 12 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 13 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 14 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 15 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 16 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 17 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 18 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 19 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.64 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@4.3.7 |
| purl |
pkg:composer/craftcms/cms@4.3.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-2vn9-2cs3-vbg3 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5cxe-tjpb-3qan |
|
| 6 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 7 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 8 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 9 |
| vulnerability |
VCID-71sv-62m4-z3er |
|
| 10 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 11 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 12 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 13 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 14 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 15 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 16 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 17 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 18 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 19 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 20 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 21 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 22 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 23 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 24 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 25 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 26 |
| vulnerability |
VCID-f7gc-cgka-tycr |
|
| 27 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 28 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 29 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 30 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 31 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 32 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 33 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 34 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 35 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 36 |
| vulnerability |
VCID-jsfs-azcs-mfcm |
|
| 37 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 38 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 39 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 40 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 41 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 42 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 43 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 44 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 45 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 46 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 47 |
| vulnerability |
VCID-r5hp-5nju-9ubz |
|
| 48 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 49 |
| vulnerability |
VCID-rvrz-498f-2uet |
|
| 50 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 51 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 52 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 53 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 54 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 55 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
| 56 |
| vulnerability |
VCID-wcx6-wed9-gub2 |
|
| 57 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.3.7 |
|
|
| aliases |
CVE-2023-23927, GHSA-qcrj-6ffc-v7hq
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-41y2-tucq-ykaj |
|
| 2 |
| url |
VCID-5mnd-qvaq-k3am |
| vulnerability_id |
VCID-5mnd-qvaq-k3am |
| summary |
Unauthenticated Craft CMS users can trigger a database backup
Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.Resources:
https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.17 |
| purl |
pkg:composer/craftcms/cms@4.16.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-39ct-cg7w-kyb6 |
|
| 1 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 2 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 3 |
| vulnerability |
VCID-5q5g-jrxm-eyhe |
|
| 4 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 5 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 6 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 7 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 8 |
| vulnerability |
VCID-a3b5-pwyh-yugv |
|
| 9 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 10 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 11 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 12 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 13 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 14 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 15 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 16 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 17 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 18 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 19 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 20 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 21 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 22 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 23 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 24 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 25 |
| vulnerability |
VCID-p3n8-1sht-bfbt |
|
| 26 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 27 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 28 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 29 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 30 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 31 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 32 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 33 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 34 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.21 |
| purl |
pkg:composer/craftcms/cms@5.8.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-39ct-cg7w-kyb6 |
|
| 1 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 2 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 3 |
| vulnerability |
VCID-5q5g-jrxm-eyhe |
|
| 4 |
| vulnerability |
VCID-5tzm-738x-xka9 |
|
| 5 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 6 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 7 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 8 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 9 |
| vulnerability |
VCID-a3b5-pwyh-yugv |
|
| 10 |
| vulnerability |
VCID-a8p2-5cmc-n7g2 |
|
| 11 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 12 |
| vulnerability |
VCID-asek-4gme-gug8 |
|
| 13 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 14 |
| vulnerability |
VCID-bqep-3c6u-mqhu |
|
| 15 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 16 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 17 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 18 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 19 |
| vulnerability |
VCID-esma-wxje-eqh3 |
|
| 20 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 21 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 22 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 23 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 24 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 25 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 26 |
| vulnerability |
VCID-jnrx-e9b5-wqew |
|
| 27 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 28 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 29 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 30 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 31 |
| vulnerability |
VCID-p3n8-1sht-bfbt |
|
| 32 |
| vulnerability |
VCID-pgm4-svq8-tfc5 |
|
| 33 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 34 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 35 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 36 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 37 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 38 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 39 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 40 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 41 |
| vulnerability |
VCID-vvhc-rnpr-ubey |
|
| 42 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21 |
|
|
| aliases |
CVE-2025-68456, GHSA-v64r-7wg9-23pr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5mnd-qvaq-k3am |
|
| 3 |
| url |
VCID-5pur-jy1x-gfhv |
| vulnerability_id |
VCID-5pur-jy1x-gfhv |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.4.6 |
| purl |
pkg:composer/craftcms/cms@4.4.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-2vn9-2cs3-vbg3 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5cxe-tjpb-3qan |
|
| 6 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 7 |
| vulnerability |
VCID-71sv-62m4-z3er |
|
| 8 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 9 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 10 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 11 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 12 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 13 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 14 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 15 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 16 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 17 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 18 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 19 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 20 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 21 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 22 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 23 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 24 |
| vulnerability |
VCID-f7gc-cgka-tycr |
|
| 25 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 26 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 27 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 28 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 29 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 30 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 31 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 32 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 33 |
| vulnerability |
VCID-jsfs-azcs-mfcm |
|
| 34 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 35 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 36 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 37 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 38 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 39 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 40 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 41 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 42 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 43 |
| vulnerability |
VCID-r5hp-5nju-9ubz |
|
| 44 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 45 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 46 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 47 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 48 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 49 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 50 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
| 51 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6 |
|
|
| aliases |
CVE-2023-33197, GHSA-6qjx-787v-6pxr
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5pur-jy1x-gfhv |
|
| 4 |
| url |
VCID-6hcd-ayyh-3fdb |
| vulnerability_id |
VCID-6hcd-ayyh-3fdb |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms/cms. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.8.4 |
| purl |
pkg:composer/craftcms/cms@3.8.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 1 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 2 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 3 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 4 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 5 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 6 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 7 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 8 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 9 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 10 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 11 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 12 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 13 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 14 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 15 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.8.4 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@4.4.4 |
| purl |
pkg:composer/craftcms/cms@4.4.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-2vn9-2cs3-vbg3 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5cxe-tjpb-3qan |
|
| 6 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 7 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 8 |
| vulnerability |
VCID-71sv-62m4-z3er |
|
| 9 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 10 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 11 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 12 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 13 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 14 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 15 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 16 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 17 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 18 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 19 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 20 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 21 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 22 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 23 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 24 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 25 |
| vulnerability |
VCID-f7gc-cgka-tycr |
|
| 26 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 27 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 28 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 29 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 30 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 31 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 32 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 33 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 34 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 35 |
| vulnerability |
VCID-jsfs-azcs-mfcm |
|
| 36 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 37 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 38 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 39 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 40 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 41 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 42 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 43 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 44 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 45 |
| vulnerability |
VCID-r5hp-5nju-9ubz |
|
| 46 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 47 |
| vulnerability |
VCID-rvrz-498f-2uet |
|
| 48 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 49 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 50 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 51 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 52 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 53 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
| 54 |
| vulnerability |
VCID-wcx6-wed9-gub2 |
|
| 55 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.4 |
|
|
| aliases |
CVE-2023-31144, GHSA-j4mx-98hw-6rv6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6hcd-ayyh-3fdb |
|
| 5 |
| url |
VCID-8pjj-w8h7-p7ga |
| vulnerability_id |
VCID-8pjj-w8h7-p7ga |
| summary |
Weak Password Recovery Mechanism for Forgotten Password
Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration). |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.7.36 |
| purl |
pkg:composer/craftcms/cms@3.7.36 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 1 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 2 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 3 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 4 |
| vulnerability |
VCID-8pjj-w8h7-p7ga |
|
| 5 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 6 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 7 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 8 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 9 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 10 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 11 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 12 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 13 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 14 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 15 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 16 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 17 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 18 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 19 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 20 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.36 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@3.7.37 |
| purl |
pkg:composer/craftcms/cms@3.7.37 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 1 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 2 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 3 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 4 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 5 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 6 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 7 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 8 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 9 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 10 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 11 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 12 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 13 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 14 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 15 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 16 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 17 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 18 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 19 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.37 |
|
|
| aliases |
CVE-2022-29933, GHSA-5cjr-78cq-3wrg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8pjj-w8h7-p7ga |
|
| 6 |
| url |
VCID-aajd-9qsf-37cr |
| vulnerability_id |
VCID-aajd-9qsf-37cr |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Craft CMS through 4.4.9 is vulnerable to HTML Injection. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.4.10 |
| purl |
pkg:composer/craftcms/cms@4.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 3 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 4 |
| vulnerability |
VCID-5cxe-tjpb-3qan |
|
| 5 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 6 |
| vulnerability |
VCID-71sv-62m4-z3er |
|
| 7 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 8 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 9 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 10 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 11 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 12 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 13 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 14 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 15 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 16 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 17 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 18 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 19 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 20 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 21 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 22 |
| vulnerability |
VCID-f7gc-cgka-tycr |
|
| 23 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 24 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 25 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 26 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 27 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 28 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 29 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 30 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 31 |
| vulnerability |
VCID-jsfs-azcs-mfcm |
|
| 32 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 33 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 34 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 35 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 36 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 37 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 38 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 39 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 40 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 41 |
| vulnerability |
VCID-r5hp-5nju-9ubz |
|
| 42 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 43 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 44 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 45 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 46 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 47 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 48 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
| 49 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.10 |
|
|
| aliases |
CVE-2023-33495, GHSA-m3v5-gjj9-rg24
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-aajd-9qsf-37cr |
|
| 7 |
| url |
VCID-c2nk-y4rx-1qf4 |
| vulnerability_id |
VCID-c2nk-y4rx-1qf4 |
| summary |
Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
You are affected if your php.ini configuration has `register_argc_argv` enabled. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/craftcms/cms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/craftcms/cms |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/Chocapikk/CVE-2024-56145 |
| reference_id |
CVE-2024-56145 |
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/Chocapikk/CVE-2024-56145 |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9 |
| reference_id |
GHSA-2p6p-9rc9-62j9 |
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A |
|
| 2 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/ |
|
|
| url |
https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@4.13.2 |
| purl |
pkg:composer/craftcms/cms@4.13.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-39ct-cg7w-kyb6 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 6 |
| vulnerability |
VCID-5q5g-jrxm-eyhe |
|
| 7 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 8 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 9 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 10 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 11 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 12 |
| vulnerability |
VCID-a3b5-pwyh-yugv |
|
| 13 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 14 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 15 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 16 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 17 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 18 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 19 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 20 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 21 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 22 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 23 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 24 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 25 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 26 |
| vulnerability |
VCID-jsfs-azcs-mfcm |
|
| 27 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 28 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 29 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 30 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 31 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 32 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 33 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 34 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 35 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 36 |
| vulnerability |
VCID-r5hp-5nju-9ubz |
|
| 37 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 38 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 39 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 40 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 41 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 42 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 43 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.13.2 |
|
| 2 |
| url |
pkg:composer/craftcms/cms@5.5.2 |
| purl |
pkg:composer/craftcms/cms@5.5.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-39ct-cg7w-kyb6 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 6 |
| vulnerability |
VCID-5q5g-jrxm-eyhe |
|
| 7 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 8 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 9 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 10 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 11 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 12 |
| vulnerability |
VCID-a3b5-pwyh-yugv |
|
| 13 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 14 |
| vulnerability |
VCID-asek-4gme-gug8 |
|
| 15 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 16 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 17 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 18 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 19 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 20 |
| vulnerability |
VCID-esma-wxje-eqh3 |
|
| 21 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 22 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 23 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 24 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 25 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 26 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 27 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 28 |
| vulnerability |
VCID-jnrx-e9b5-wqew |
|
| 29 |
| vulnerability |
VCID-jsfs-azcs-mfcm |
|
| 30 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 31 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 32 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 33 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 34 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 35 |
| vulnerability |
VCID-pgm4-svq8-tfc5 |
|
| 36 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 37 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 38 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 39 |
| vulnerability |
VCID-r5hp-5nju-9ubz |
|
| 40 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 41 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 42 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 43 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 44 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 45 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 46 |
| vulnerability |
VCID-vvhc-rnpr-ubey |
|
| 47 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.2 |
|
|
| aliases |
CVE-2024-56145, GHSA-2p6p-9rc9-62j9
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c2nk-y4rx-1qf4 |
|
| 8 |
| url |
VCID-chep-xthg-zuee |
| vulnerability_id |
VCID-chep-xthg-zuee |
| summary |
Craft CMS Arbitrary System File Read
By abusing the mail notification template it is possible to read arbitrary operating system files. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/craftcms/cms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
|
| 1 |
| value |
7.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/craftcms/cms |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.12.8 |
| purl |
pkg:composer/craftcms/cms@4.12.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-39ct-cg7w-kyb6 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 6 |
| vulnerability |
VCID-5q5g-jrxm-eyhe |
|
| 7 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 8 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 9 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 10 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 11 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 12 |
| vulnerability |
VCID-a3b5-pwyh-yugv |
|
| 13 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 14 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 15 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 16 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 17 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 18 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 19 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 20 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 21 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 22 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 23 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 24 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 25 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 26 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 27 |
| vulnerability |
VCID-jsfs-azcs-mfcm |
|
| 28 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 29 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 30 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 31 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 32 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 33 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 34 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 35 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 36 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 37 |
| vulnerability |
VCID-r5hp-5nju-9ubz |
|
| 38 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 39 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 40 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 41 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 42 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 43 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 44 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.8 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.4.9 |
| purl |
pkg:composer/craftcms/cms@5.4.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-39ct-cg7w-kyb6 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 6 |
| vulnerability |
VCID-5q5g-jrxm-eyhe |
|
| 7 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 8 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 9 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 10 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 11 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 12 |
| vulnerability |
VCID-a3b5-pwyh-yugv |
|
| 13 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 14 |
| vulnerability |
VCID-asek-4gme-gug8 |
|
| 15 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 16 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 17 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 18 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 19 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 20 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 21 |
| vulnerability |
VCID-esma-wxje-eqh3 |
|
| 22 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 23 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 24 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 25 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 26 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 27 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 28 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 29 |
| vulnerability |
VCID-jnrx-e9b5-wqew |
|
| 30 |
| vulnerability |
VCID-jsfs-azcs-mfcm |
|
| 31 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 32 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 33 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 34 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 35 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 36 |
| vulnerability |
VCID-pgm4-svq8-tfc5 |
|
| 37 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 38 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 39 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 40 |
| vulnerability |
VCID-r5hp-5nju-9ubz |
|
| 41 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 42 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 43 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 44 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 45 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 46 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 47 |
| vulnerability |
VCID-vvhc-rnpr-ubey |
|
| 48 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.9 |
|
|
| aliases |
CVE-2024-52292, GHSA-cw6g-qmjq-6w2w
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-chep-xthg-zuee |
|
| 9 |
| url |
VCID-cwm6-qf1f-2keb |
| vulnerability_id |
VCID-cwm6-qf1f-2keb |
| summary |
Craft CMS SQL injection vulnerability via the GraphQL API endpoint
Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/craftcms/cms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/craftcms/cms |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.7.32 |
| purl |
pkg:composer/craftcms/cms@3.7.32 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 1 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 2 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 3 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 4 |
| vulnerability |
VCID-8pjj-w8h7-p7ga |
|
| 5 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 6 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 7 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 8 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 9 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 10 |
| vulnerability |
VCID-eecq-8t4y-kka3 |
|
| 11 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 12 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 13 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 14 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 15 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 16 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 17 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 18 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 19 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 20 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 21 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.32 |
|
|
| aliases |
CVE-2024-37843, GHSA-hq4f-mv3q-8wcv
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cwm6-qf1f-2keb |
|
| 10 |
| url |
VCID-dz26-b2ts-puep |
| vulnerability_id |
VCID-dz26-b2ts-puep |
| summary |
Craft CMS Feed-Me
An issue discovered in Craft CMS version 4.6.1. allows remote attackers to cause a denial of service (DoS) via crafted string to Feed-Me Name and Feed-Me URL fields due to saving a feed using an Asset element type with no volume selected. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@4.7.0 |
| purl |
pkg:composer/craftcms/cms@4.7.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-39ct-cg7w-kyb6 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5cxe-tjpb-3qan |
|
| 6 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 7 |
| vulnerability |
VCID-5q5g-jrxm-eyhe |
|
| 8 |
| vulnerability |
VCID-71sv-62m4-z3er |
|
| 9 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 10 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 11 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 12 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 13 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 14 |
| vulnerability |
VCID-a3b5-pwyh-yugv |
|
| 15 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 16 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 17 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 18 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 19 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 20 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 21 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 22 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 23 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 24 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 25 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 26 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 27 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 28 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 29 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 30 |
| vulnerability |
VCID-jsfs-azcs-mfcm |
|
| 31 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 32 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 33 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 34 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 35 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 36 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 37 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 38 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 39 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 40 |
| vulnerability |
VCID-r5hp-5nju-9ubz |
|
| 41 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 42 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 43 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 44 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 45 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 46 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 47 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.7.0 |
|
|
| aliases |
CVE-2023-36260, GHSA-6p78-f7h9-6838
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dz26-b2ts-puep |
|
| 11 |
| url |
VCID-ec34-nvn3-qbcb |
| vulnerability_id |
VCID-ec34-nvn3-qbcb |
| summary |
Craft CMS vulnerable to Remote Code Execution via validatePath bypass
Bypassing the validatePath function can lead to potential Remote Code Execution
(Post-authentication, ALLOW_ADMIN_CHANGES=true) |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@4.4.15 |
| purl |
pkg:composer/craftcms/cms@4.4.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 3 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 4 |
| vulnerability |
VCID-5cxe-tjpb-3qan |
|
| 5 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 6 |
| vulnerability |
VCID-71sv-62m4-z3er |
|
| 7 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 8 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 9 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 10 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 11 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 12 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 13 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 14 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 15 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 16 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 17 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 18 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 19 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 20 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 21 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 22 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 23 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 24 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 25 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 26 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 27 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 28 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 29 |
| vulnerability |
VCID-jsfs-azcs-mfcm |
|
| 30 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 31 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 32 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 33 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 34 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 35 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 36 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 37 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 38 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 39 |
| vulnerability |
VCID-r5hp-5nju-9ubz |
|
| 40 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 41 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 42 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 43 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 44 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 45 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 46 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.15 |
|
|
| aliases |
CVE-2023-40035, GHSA-44wr-rmwq-3phw
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ec34-nvn3-qbcb |
|
| 12 |
| url |
VCID-eecq-8t4y-kka3 |
| vulnerability_id |
VCID-eecq-8t4y-kka3 |
| summary |
Craft CMS discloses password hashes
All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.7.33 |
| purl |
pkg:composer/craftcms/cms@3.7.33 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 1 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 2 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 3 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 4 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 5 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 6 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 7 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 8 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 9 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 10 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 11 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 12 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 13 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 14 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 15 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 16 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 17 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 18 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 19 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.33 |
|
|
| aliases |
CVE-2022-37783, GHSA-h972-v458-m892
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-eecq-8t4y-kka3 |
|
| 13 |
| url |
VCID-fpea-e48p-kfbn |
| vulnerability_id |
VCID-fpea-e48p-kfbn |
| summary |
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution **separately** from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request.
This is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)) that allows access to all blocked IPs, not just IPv6 endpoints. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.19 |
| purl |
pkg:composer/craftcms/cms@4.16.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 1 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 2 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 3 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 4 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 5 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 6 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 7 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 8 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 9 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 10 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 11 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 12 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 13 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 14 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 15 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 16 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 17 |
| vulnerability |
VCID-p3n8-1sht-bfbt |
|
| 18 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 19 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 20 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 21 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 22 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 23 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 24 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.19 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.23 |
| purl |
pkg:composer/craftcms/cms@5.8.23 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 1 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 2 |
| vulnerability |
VCID-5tzm-738x-xka9 |
|
| 3 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 4 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 5 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 6 |
| vulnerability |
VCID-a8p2-5cmc-n7g2 |
|
| 7 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 8 |
| vulnerability |
VCID-asek-4gme-gug8 |
|
| 9 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 10 |
| vulnerability |
VCID-bqep-3c6u-mqhu |
|
| 11 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 12 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 13 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 14 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 15 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 16 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 17 |
| vulnerability |
VCID-jnrx-e9b5-wqew |
|
| 18 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 19 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 20 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 21 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 22 |
| vulnerability |
VCID-p3n8-1sht-bfbt |
|
| 23 |
| vulnerability |
VCID-pgm4-svq8-tfc5 |
|
| 24 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 25 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 26 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 27 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 28 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 29 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 30 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23 |
|
|
| aliases |
CVE-2026-27127, GHSA-gp2f-7wcm-5fhx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fpea-e48p-kfbn |
|
| 14 |
| url |
VCID-hkp9-3hzv-quhk |
| vulnerability_id |
VCID-hkp9-3hzv-quhk |
| summary |
Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
The SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection.
This is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)). |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.19 |
| purl |
pkg:composer/craftcms/cms@4.16.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 1 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 2 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 3 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 4 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 5 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 6 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 7 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 8 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 9 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 10 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 11 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 12 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 13 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 14 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 15 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 16 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 17 |
| vulnerability |
VCID-p3n8-1sht-bfbt |
|
| 18 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 19 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 20 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 21 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 22 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 23 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 24 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.19 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.23 |
| purl |
pkg:composer/craftcms/cms@5.8.23 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 1 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 2 |
| vulnerability |
VCID-5tzm-738x-xka9 |
|
| 3 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 4 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 5 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 6 |
| vulnerability |
VCID-a8p2-5cmc-n7g2 |
|
| 7 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 8 |
| vulnerability |
VCID-asek-4gme-gug8 |
|
| 9 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 10 |
| vulnerability |
VCID-bqep-3c6u-mqhu |
|
| 11 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 12 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 13 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 14 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 15 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 16 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 17 |
| vulnerability |
VCID-jnrx-e9b5-wqew |
|
| 18 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 19 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 20 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 21 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 22 |
| vulnerability |
VCID-p3n8-1sht-bfbt |
|
| 23 |
| vulnerability |
VCID-pgm4-svq8-tfc5 |
|
| 24 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 25 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 26 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 27 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 28 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 29 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 30 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23 |
|
|
| aliases |
CVE-2026-27129, GHSA-v2gc-rm6g-wrw9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hkp9-3hzv-quhk |
|
| 15 |
| url |
VCID-hm7h-7cu3-8be1 |
| vulnerability_id |
VCID-hm7h-7cu3-8be1 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Craft is a CMS for creating custom digital experiences on the web. The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.8.6 |
| purl |
pkg:composer/craftcms/cms@3.8.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 1 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 2 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 3 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 4 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 5 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 6 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 7 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 8 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 9 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 10 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 11 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 12 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 13 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 14 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.8.6 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@4.4.6 |
| purl |
pkg:composer/craftcms/cms@4.4.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-2vn9-2cs3-vbg3 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5cxe-tjpb-3qan |
|
| 6 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 7 |
| vulnerability |
VCID-71sv-62m4-z3er |
|
| 8 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 9 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 10 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 11 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 12 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 13 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 14 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 15 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 16 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 17 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 18 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 19 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 20 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 21 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 22 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 23 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 24 |
| vulnerability |
VCID-f7gc-cgka-tycr |
|
| 25 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 26 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 27 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 28 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 29 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 30 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 31 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 32 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 33 |
| vulnerability |
VCID-jsfs-azcs-mfcm |
|
| 34 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 35 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 36 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 37 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 38 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 39 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 40 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 41 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 42 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 43 |
| vulnerability |
VCID-r5hp-5nju-9ubz |
|
| 44 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 45 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 46 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 47 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 48 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 49 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 50 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
| 51 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6 |
|
|
| aliases |
CVE-2023-33194, GHSA-3wxg-w96j-8hq9
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hm7h-7cu3-8be1 |
|
| 16 |
| url |
VCID-jhen-vhqx-n7dr |
| vulnerability_id |
VCID-jhen-vhqx-n7dr |
| summary |
Improper Privilege Management
Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@4.5.11 |
| purl |
pkg:composer/craftcms/cms@4.5.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-39ct-cg7w-kyb6 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5cxe-tjpb-3qan |
|
| 6 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 7 |
| vulnerability |
VCID-5q5g-jrxm-eyhe |
|
| 8 |
| vulnerability |
VCID-71sv-62m4-z3er |
|
| 9 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 10 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 11 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 12 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 13 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 14 |
| vulnerability |
VCID-a3b5-pwyh-yugv |
|
| 15 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 16 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 17 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 18 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 19 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 20 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 21 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 22 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 23 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 24 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 25 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 26 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 27 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 28 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 29 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 30 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 31 |
| vulnerability |
VCID-jsfs-azcs-mfcm |
|
| 32 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 33 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 34 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 35 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 36 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 37 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 38 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 39 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 40 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 41 |
| vulnerability |
VCID-r5hp-5nju-9ubz |
|
| 42 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 43 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 44 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 45 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 46 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 47 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 48 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.5.11 |
|
|
| aliases |
CVE-2024-21622, GHSA-j5g9-j7r4-6qvx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jhen-vhqx-n7dr |
|
| 17 |
| url |
VCID-jxet-d8ux-mkge |
| vulnerability_id |
VCID-jxet-d8ux-mkge |
| summary |
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at `/var/lib/php/sessions`. Such session files are named `sess_[session_value]`, where `[session_value]` is provided to the client in a `Set-Cookie` response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/craftcms/cms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/craftcms/cms |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/craftcms/cms/pull/17220 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/ |
|
| 6 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/ |
|
|
| url |
https://github.com/craftcms/cms/pull/17220 |
|
| 4 |
| reference_url |
https://github.com/craftcms/cms/releases/tag/4.15.3 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/ |
|
| 6 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/ |
|
|
| url |
https://github.com/craftcms/cms/releases/tag/4.15.3 |
|
| 5 |
| reference_url |
https://github.com/craftcms/cms/releases/tag/5.7.5 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/ |
|
| 6 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/ |
|
|
| url |
https://github.com/craftcms/cms/releases/tag/5.7.5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://www.cve.org/CVERecord?id=CVE-2025-35939 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/ |
|
| 6 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/ |
|
|
| url |
https://www.cve.org/CVERecord?id=CVE-2025-35939 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.15.3 |
| purl |
pkg:composer/craftcms/cms@4.15.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-39ct-cg7w-kyb6 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 6 |
| vulnerability |
VCID-5q5g-jrxm-eyhe |
|
| 7 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 8 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 9 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 10 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 11 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 12 |
| vulnerability |
VCID-a3b5-pwyh-yugv |
|
| 13 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 14 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 15 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 16 |
| vulnerability |
VCID-dbcz-erbe-u7dt |
|
| 17 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 18 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 19 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 20 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 21 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 22 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 23 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 24 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 25 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 26 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 27 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 28 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 29 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 30 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 31 |
| vulnerability |
VCID-p3n8-1sht-bfbt |
|
| 32 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 33 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 34 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 35 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 36 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 37 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 38 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 39 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 40 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 41 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.15.3 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.7.5 |
| purl |
pkg:composer/craftcms/cms@5.7.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-39ct-cg7w-kyb6 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 6 |
| vulnerability |
VCID-5q5g-jrxm-eyhe |
|
| 7 |
| vulnerability |
VCID-5tzm-738x-xka9 |
|
| 8 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 9 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 10 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 11 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 12 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 13 |
| vulnerability |
VCID-a3b5-pwyh-yugv |
|
| 14 |
| vulnerability |
VCID-a8p2-5cmc-n7g2 |
|
| 15 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 16 |
| vulnerability |
VCID-asek-4gme-gug8 |
|
| 17 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 18 |
| vulnerability |
VCID-bqep-3c6u-mqhu |
|
| 19 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 20 |
| vulnerability |
VCID-dbcz-erbe-u7dt |
|
| 21 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 22 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 23 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 24 |
| vulnerability |
VCID-esma-wxje-eqh3 |
|
| 25 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 26 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 27 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 28 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 29 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 30 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 31 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 32 |
| vulnerability |
VCID-jnrx-e9b5-wqew |
|
| 33 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 34 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 35 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 36 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 37 |
| vulnerability |
VCID-p3n8-1sht-bfbt |
|
| 38 |
| vulnerability |
VCID-pgm4-svq8-tfc5 |
|
| 39 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 40 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 41 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 42 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 43 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 44 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 45 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 46 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 47 |
| vulnerability |
VCID-vvhc-rnpr-ubey |
|
| 48 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.7.5 |
|
|
| aliases |
CVE-2025-35939, GHSA-7vrx-9684-xrf2
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jxet-d8ux-mkge |
|
| 18 |
| url |
VCID-qcwp-su57-9fa1 |
| vulnerability_id |
VCID-qcwp-su57-9fa1 |
| summary |
Improper Control of Generation of Code ('Code Injection')
CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.4.2 |
| purl |
pkg:composer/craftcms/cms@4.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-2vn9-2cs3-vbg3 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5cxe-tjpb-3qan |
|
| 6 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 7 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 8 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 9 |
| vulnerability |
VCID-71sv-62m4-z3er |
|
| 10 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 11 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 12 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 13 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 14 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 15 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 16 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 17 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 18 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 19 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 20 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 21 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 22 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 23 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 24 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 25 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 26 |
| vulnerability |
VCID-f7gc-cgka-tycr |
|
| 27 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 28 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 29 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 30 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 31 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 32 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 33 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 34 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 35 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 36 |
| vulnerability |
VCID-jsfs-azcs-mfcm |
|
| 37 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 38 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 39 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 40 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 41 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 42 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 43 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 44 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 45 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 46 |
| vulnerability |
VCID-r5hp-5nju-9ubz |
|
| 47 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 48 |
| vulnerability |
VCID-rvrz-498f-2uet |
|
| 49 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 50 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 51 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 52 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 53 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 54 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
| 55 |
| vulnerability |
VCID-wcx6-wed9-gub2 |
|
| 56 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.2 |
|
|
| aliases |
CVE-2023-30179, GHSA-3x74-v64j-qc3f
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qcwp-su57-9fa1 |
|
| 19 |
| url |
VCID-qq68-3j4y-47am |
| vulnerability_id |
VCID-qq68-3j4y-47am |
| summary |
Craft CMS Allows Remote Code Execution
This is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
This is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@4.14.15 |
| purl |
pkg:composer/craftcms/cms@4.14.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-39ct-cg7w-kyb6 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 6 |
| vulnerability |
VCID-5q5g-jrxm-eyhe |
|
| 7 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 8 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 9 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 10 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 11 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 12 |
| vulnerability |
VCID-a3b5-pwyh-yugv |
|
| 13 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 14 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 15 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 16 |
| vulnerability |
VCID-dbcz-erbe-u7dt |
|
| 17 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 18 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 19 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 20 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 21 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 22 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 23 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 24 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 25 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 26 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 27 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 28 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 29 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 30 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 31 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 32 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 33 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 34 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 35 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 36 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 37 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 38 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 39 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 40 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 41 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.14.15 |
|
| 2 |
| url |
pkg:composer/craftcms/cms@5.6.17 |
| purl |
pkg:composer/craftcms/cms@5.6.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-39ct-cg7w-kyb6 |
|
| 3 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 4 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 5 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 6 |
| vulnerability |
VCID-5q5g-jrxm-eyhe |
|
| 7 |
| vulnerability |
VCID-5tzm-738x-xka9 |
|
| 8 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 9 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 10 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 11 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 12 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 13 |
| vulnerability |
VCID-a3b5-pwyh-yugv |
|
| 14 |
| vulnerability |
VCID-a8p2-5cmc-n7g2 |
|
| 15 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 16 |
| vulnerability |
VCID-asek-4gme-gug8 |
|
| 17 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 18 |
| vulnerability |
VCID-bqep-3c6u-mqhu |
|
| 19 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 20 |
| vulnerability |
VCID-dbcz-erbe-u7dt |
|
| 21 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 22 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 23 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 24 |
| vulnerability |
VCID-esma-wxje-eqh3 |
|
| 25 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 26 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 27 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 28 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 29 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 30 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 31 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 32 |
| vulnerability |
VCID-jnrx-e9b5-wqew |
|
| 33 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 34 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 35 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 36 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 37 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 38 |
| vulnerability |
VCID-pgm4-svq8-tfc5 |
|
| 39 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 40 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 41 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 42 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 43 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 44 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 45 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 46 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 47 |
| vulnerability |
VCID-vvhc-rnpr-ubey |
|
| 48 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.17 |
|
|
| aliases |
CVE-2025-32432, GHSA-f3gw-9ww9-jmc3
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qq68-3j4y-47am |
|
| 20 |
| url |
VCID-rb7c-3nkc-gkeg |
| vulnerability_id |
VCID-rb7c-3nkc-gkeg |
| summary |
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
The Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume.
Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.References:
https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.17 |
| purl |
pkg:composer/craftcms/cms@4.16.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-39ct-cg7w-kyb6 |
|
| 1 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 2 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 3 |
| vulnerability |
VCID-5q5g-jrxm-eyhe |
|
| 4 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 5 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 6 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 7 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 8 |
| vulnerability |
VCID-a3b5-pwyh-yugv |
|
| 9 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 10 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 11 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 12 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 13 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 14 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 15 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 16 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 17 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 18 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 19 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 20 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 21 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 22 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 23 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 24 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 25 |
| vulnerability |
VCID-p3n8-1sht-bfbt |
|
| 26 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 27 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 28 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 29 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 30 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 31 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 32 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 33 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 34 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.21 |
| purl |
pkg:composer/craftcms/cms@5.8.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-39ct-cg7w-kyb6 |
|
| 1 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 2 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 3 |
| vulnerability |
VCID-5q5g-jrxm-eyhe |
|
| 4 |
| vulnerability |
VCID-5tzm-738x-xka9 |
|
| 5 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 6 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 7 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 8 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 9 |
| vulnerability |
VCID-a3b5-pwyh-yugv |
|
| 10 |
| vulnerability |
VCID-a8p2-5cmc-n7g2 |
|
| 11 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 12 |
| vulnerability |
VCID-asek-4gme-gug8 |
|
| 13 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 14 |
| vulnerability |
VCID-bqep-3c6u-mqhu |
|
| 15 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 16 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 17 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 18 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 19 |
| vulnerability |
VCID-esma-wxje-eqh3 |
|
| 20 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 21 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 22 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 23 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 24 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 25 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 26 |
| vulnerability |
VCID-jnrx-e9b5-wqew |
|
| 27 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 28 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 29 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 30 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 31 |
| vulnerability |
VCID-p3n8-1sht-bfbt |
|
| 32 |
| vulnerability |
VCID-pgm4-svq8-tfc5 |
|
| 33 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 34 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 35 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 36 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 37 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 38 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 39 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 40 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 41 |
| vulnerability |
VCID-vvhc-rnpr-ubey |
|
| 42 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21 |
|
|
| aliases |
CVE-2025-68437, GHSA-x27p-wfqw-hfcc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rb7c-3nkc-gkeg |
|
| 21 |
| url |
VCID-s5v6-e631-17f5 |
| vulnerability_id |
VCID-s5v6-e631-17f5 |
| summary |
CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter
An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://craftcms.com |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://craftcms.com |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://craftcms.com/ |
| reference_id |
craftcms.com |
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-24T16:00:57Z/ |
|
|
| url |
https://craftcms.com/ |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.8.2 |
| purl |
pkg:composer/craftcms/cms@3.8.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 1 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 2 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 3 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 4 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 5 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 6 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 7 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 8 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 9 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 10 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 11 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 12 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 13 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 14 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 15 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 16 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.8.2 |
|
|
| aliases |
CVE-2023-30130, GHSA-fjx5-xm7q-whvj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s5v6-e631-17f5 |
|
| 22 |
| url |
VCID-u4t8-gkkb-73bv |
| vulnerability_id |
VCID-u4t8-gkkb-73bv |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms/cms. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.7.29 |
| purl |
pkg:composer/craftcms/cms@3.7.29 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-41y2-tucq-ykaj |
|
| 1 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 2 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 3 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 4 |
| vulnerability |
VCID-8pjj-w8h7-p7ga |
|
| 5 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 6 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 7 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 8 |
| vulnerability |
VCID-cwm6-qf1f-2keb |
|
| 9 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 10 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 11 |
| vulnerability |
VCID-eecq-8t4y-kka3 |
|
| 12 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 13 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 14 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 15 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 16 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 17 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 18 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 19 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 20 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 21 |
| vulnerability |
VCID-vbz3-3rqd-3fh6 |
|
| 22 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.29 |
|
|
| aliases |
GHSA-wf98-vxv9-jqfv, GMS-2022-790
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u4t8-gkkb-73bv |
|
| 23 |
| url |
VCID-vbz3-3rqd-3fh6 |
| vulnerability_id |
VCID-vbz3-3rqd-3fh6 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@3.7.68 |
| purl |
pkg:composer/craftcms/cms@3.7.68 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 1 |
| vulnerability |
VCID-5pur-jy1x-gfhv |
|
| 2 |
| vulnerability |
VCID-6hcd-ayyh-3fdb |
|
| 3 |
| vulnerability |
VCID-aajd-9qsf-37cr |
|
| 4 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 5 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 6 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 7 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 8 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 9 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 10 |
| vulnerability |
VCID-hm7h-7cu3-8be1 |
|
| 11 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 12 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 13 |
| vulnerability |
VCID-qcwp-su57-9fa1 |
|
| 14 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 15 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 16 |
| vulnerability |
VCID-s5v6-e631-17f5 |
|
| 17 |
| vulnerability |
VCID-ymw8-mvrz-e7bc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.68 |
|
|
| aliases |
CVE-2023-30177, GHSA-wv7j-rc2q-9j67
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vbz3-3rqd-3fh6 |
|
| 24 |
| url |
VCID-ymw8-mvrz-e7bc |
| vulnerability_id |
VCID-ymw8-mvrz-e7bc |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.4.12 |
| purl |
pkg:composer/craftcms/cms@4.4.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1468-4fdx-kbfr |
|
| 1 |
| vulnerability |
VCID-1mb5-28xp-ckd2 |
|
| 2 |
| vulnerability |
VCID-41uv-1axm-fugb |
|
| 3 |
| vulnerability |
VCID-4wkr-jx1w-77hn |
|
| 4 |
| vulnerability |
VCID-5cxe-tjpb-3qan |
|
| 5 |
| vulnerability |
VCID-5mnd-qvaq-k3am |
|
| 6 |
| vulnerability |
VCID-71sv-62m4-z3er |
|
| 7 |
| vulnerability |
VCID-7y4f-ef7t-47eb |
|
| 8 |
| vulnerability |
VCID-83rt-3tyj-qbgx |
|
| 9 |
| vulnerability |
VCID-8u2j-17a4-q7eh |
|
| 10 |
| vulnerability |
VCID-9ca4-tbhq-27ad |
|
| 11 |
| vulnerability |
VCID-9enr-b6zd-mbh8 |
|
| 12 |
| vulnerability |
VCID-akrv-yqnf-1kg8 |
|
| 13 |
| vulnerability |
VCID-azr5-12f8-hfbm |
|
| 14 |
| vulnerability |
VCID-c2nk-y4rx-1qf4 |
|
| 15 |
| vulnerability |
VCID-chep-xthg-zuee |
|
| 16 |
| vulnerability |
VCID-cys8-jnmu-77ec |
|
| 17 |
| vulnerability |
VCID-dz26-b2ts-puep |
|
| 18 |
| vulnerability |
VCID-e94m-mj1k-8kbr |
|
| 19 |
| vulnerability |
VCID-eaxm-rjr7-xudb |
|
| 20 |
| vulnerability |
VCID-ec34-nvn3-qbcb |
|
| 21 |
| vulnerability |
VCID-efwv-r3nc-73h9 |
|
| 22 |
| vulnerability |
VCID-f7gc-cgka-tycr |
|
| 23 |
| vulnerability |
VCID-fpea-e48p-kfbn |
|
| 24 |
| vulnerability |
VCID-fpke-p7sz-nfc9 |
|
| 25 |
| vulnerability |
VCID-gzry-xtu5-ukhu |
|
| 26 |
| vulnerability |
VCID-h6t5-pdp5-8qhe |
|
| 27 |
| vulnerability |
VCID-hkp9-3hzv-quhk |
|
| 28 |
| vulnerability |
VCID-hyct-5gap-7kdu |
|
| 29 |
| vulnerability |
VCID-jeyh-3jxd-z3g6 |
|
| 30 |
| vulnerability |
VCID-jhen-vhqx-n7dr |
|
| 31 |
| vulnerability |
VCID-jsfs-azcs-mfcm |
|
| 32 |
| vulnerability |
VCID-jxet-d8ux-mkge |
|
| 33 |
| vulnerability |
VCID-jxz8-g6fq-dubw |
|
| 34 |
| vulnerability |
VCID-kbrc-85av-nfcn |
|
| 35 |
| vulnerability |
VCID-m5rf-usae-yfb7 |
|
| 36 |
| vulnerability |
VCID-nmzu-mefv-tqeh |
|
| 37 |
| vulnerability |
VCID-ppet-ruae-1kav |
|
| 38 |
| vulnerability |
VCID-qq68-3j4y-47am |
|
| 39 |
| vulnerability |
VCID-qwmy-d2e8-5khw |
|
| 40 |
| vulnerability |
VCID-qywv-vf4r-8bh9 |
|
| 41 |
| vulnerability |
VCID-r5hp-5nju-9ubz |
|
| 42 |
| vulnerability |
VCID-rb7c-3nkc-gkeg |
|
| 43 |
| vulnerability |
VCID-rzq4-h1ms-nqef |
|
| 44 |
| vulnerability |
VCID-sa99-8awj-eycd |
|
| 45 |
| vulnerability |
VCID-twuy-wzb7-k7g3 |
|
| 46 |
| vulnerability |
VCID-tzjk-x116-ayge |
|
| 47 |
| vulnerability |
VCID-vasz-rnn1-67ev |
|
| 48 |
| vulnerability |
VCID-w9yn-1573-hyau |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.12 |
|
|
| aliases |
CVE-2023-2817, GHSA-7x94-jx75-3gh6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ymw8-mvrz-e7bc |
|