Lucene search
GoogleOSV:CVE-2018-20465HistoryDec 25, 2018 - 11:29 p.m.
CVE-2018-20465
2018-12-2523:29:00
Google
osv.dev
3
Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field.
| CPE | Name | Operator | Version |
|---|---|---|---|
| cms | eq | 2.6.2776 | |
| cms | eq | 2.2.2604 | |
| cms | eq | 1.4.0-alpha.2506 | |
| cms | eq | 3.0.0-beta.19 | |
| cms | eq | 0.9.2204 | |
| cms | eq | 1.3.2473 | |
| cms | eq | 1.0.2278 | |
| cms | eq | 1.4.0-alpha.2503 | |
| cms | eq | 2.3.0-alpha.2602 | |
| cms | eq | 2.5.0-beta.2722 |
Related
cvelist
cvelist
CVE-2018-20465
2018-12-25 23:00:00
osv
osv
Craft CMS Vulnerable to Server-Side Template Injection
2022-05-13 01:51:05
nvd
nvd
CVE-2018-20465
2018-12-25 23:29:00
cve
cve
CVE-2018-20465
2018-12-25 23:29:00
veracode
veracode
Privilege Escalation
2018-12-26 06:27:10
prion
prion
Design/Logic Flaw
2018-12-25 23:29:00
github
github
Craft CMS Vulnerable to Server-Side Template Injection
2022-05-13 01:51:05