CVE-2023-30179

CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection SSTI. An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrator...

Design/Logic Flaw

DISPUTED CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection SSTI. An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only...

Cross site scripting

CraftCMS 3.7.59 is vulnerable Cross Site Scripting XSS. An attacker can inject javascript code into Volume Name...

PT-2023-22566 · Craft Cms · Craft Cms

Name of the Vulnerable Software and Affected Versions: CraftCMS versions 3.7.59 through 3.7.67 Description: The issue allows an attacker to inject javascript code into the Volume Name, potentially leading to Cross Site Scripting XSS attacks. This could enable attackers to execute malicious script...

Information disclosure

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated...