Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE).
CPE | Name | Operator | Version |
---|---|---|---|
craftercms | eq | 3.1.7 | |
craftercms | eq | 3.1.11 | |
craftercms | eq | 3.1.5 | |
craftercms | eq | 3.1.4 | |
craftercms | eq | 3.1.10 | |
craftercms | eq | 3.1.9 | |
craftercms | eq | 3.1.0 | |
craftercms | eq | 3.1.6 | |
craftercms | eq | 3.1.8 | |
craftercms | eq | 3.1.1 |