Advisory ROSA-SA-2021-1809

Software: bolt 0.7
OS: Cobalt 7.9

CVE-ID: CVE-2015-7309
CVE-Crit: HIGH
CVE-DESC: The theme editor in Bolt before 2.2.5 does not check the file extension when renaming files, allowing remote authenticated users to execute arbitrary code by renaming a created file and then directly accessing it.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2017-16754
CVE-Crit: MEDIUM
CVE-DESC: Bolt before 3.3.6 incorrectly restricted access to _profiler routes associated with EventListener / ProfilerListener.php and Provider / EventListenerServiceProvider.php.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-19933
CVE-Crit: MEDIUM
CVE-DESC: Bolt CMS <3.6.2 allows XSS via the text entry preview button, as demonstrated by the title field of the customized and new entry.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-15484
CVE-Crit: Medium
CVE-DESC: Bolt before 3.6.10 has XSS via the alt or title field of an image.
CVE-STATUS: Default
CVE-REV: default

CVE-ID: CVE-2019-15485
CVE-Crit: MEDIUM
CVE-DESC: Bolt before 3.6.10 has XSS via createFolder or createFile in Controller / Async / FilesystemManager.php.
CVE-STATUS: Default
CVE-REV: default

CVE-ID: CVE-2019-15483
CVE-Crit: MEDIUM
CVE-DESC: Bolt before version 3.6.10 has XSS via a header that is mishandled in the system log.
CVE-STATUS: Default
CVE-REV: default

CVE-ID: CVE-2019-9185
CVE-Crit: HIGH
CVE-DESC: Controller / Async / FilesystemManager.php in the File Manager in Bolt before version 3.6.5 allows remote attackers to execute arbitrary PHP code by renaming a previously downloaded file with a .php extension.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-28925
CVE-Crit: MEDIUM
CVE-DESC: Bolt prior to 3.7.2 did not restrict filtering parameters in a query in a Twig context and is therefore incompatible with the “How to harden PHP security for better security” guide.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-4040
CVE-Crit: MEDIUM
CVE-DESC: Bolt CMS prior to version 3.7.1 lacked CSRF protection in the endpoint that generates the preview. Previews are meant to be created by administrators, developers, editors-in-chief and editors who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users can create previews. This has been fixed in Bolt 3.7.1.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-4041
CVE-Crit: MEDIUM
CVE-DESC: In Bolt CMS before version 3.7.1, uploaded file name was vulnerable to stored XSS. It is not possible to insert javascript code in the filename while creating / uploading the file. But once created / uploaded, it can be renamed to add payload to it. Also, you can bypass measures to prevent renaming a file to prohibited file extensions. This is fixed in Bolt 3.7.1.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-27367
CVE-Crit: HIGH
CVE-DESC: Controller / Backend / FileEditController.php and Controller / Backend / FilemanagerController.php in Bolt before version 4.1.13 allow directory traversal.
CVE-STATUS: default
CVE-REV: default