Lookup for vulnerable packages by Package URL.
| Purl | pkg:composer/craftcms/cms@3.0.0 |
|---|
| Type | composer |
|---|
| Namespace | craftcms |
|---|
| Name | cms |
|---|
| Version | 3.0.0 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 3.0.2 |
|---|
| Latest_non_vulnerable_version | 5.9.9 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-5mnd-qvaq-k3am |
| vulnerability_id |
VCID-5mnd-qvaq-k3am |
| summary |
Unauthenticated Craft CMS users can trigger a database backup
Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.Resources:
https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-68456, GHSA-v64r-7wg9-23pr
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5mnd-qvaq-k3am |
|
| 1 |
|
| 2 |
| url |
VCID-ec34-nvn3-qbcb |
| vulnerability_id |
VCID-ec34-nvn3-qbcb |
| summary |
Craft CMS vulnerable to Remote Code Execution via validatePath bypass
Bypassing the validatePath function can lead to potential Remote Code Execution
(Post-authentication, ALLOW_ADMIN_CHANGES=true) |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-40035, GHSA-44wr-rmwq-3phw
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ec34-nvn3-qbcb |
|
| 3 |
| url |
VCID-hm7h-7cu3-8be1 |
| vulnerability_id |
VCID-hm7h-7cu3-8be1 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Craft is a CMS for creating custom digital experiences on the web. The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-33194, GHSA-3wxg-w96j-8hq9
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hm7h-7cu3-8be1 |
|
| 4 |
| url |
VCID-jhen-vhqx-n7dr |
| vulnerability_id |
VCID-jhen-vhqx-n7dr |
| summary |
Improper Privilege Management
Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-21622, GHSA-j5g9-j7r4-6qvx
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jhen-vhqx-n7dr |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.0.0 |
|---|