Lucene search
K

10 matches found

Github Security Blog
Github Security Blog
added 4 days ago9 views

Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap

Summary EntriesController::actionSaveEntry performs entry-edit permission checks before request-controlled author changes are applied to the model. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the o...

7.6CVSS5.8AI score0.00245EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 5 days ago36 views

CVE-2026-50279 Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap

Craft CMS is a content management system CMS. IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author...

7.6CVSS0.00245EPSS
Exploits0References2
CVE
CVE
added 5 days ago11 views

CVE-2026-50279

Craft CMS (versions 5.0.0-RC1 through 5.9.20) contains an authorization gap in EntriesController::actionSaveEntry where entry-edit checks precede author changes. The code path allows attacker-supplied authors to mutate the authors list when the current user is among the old authors, without re-ru...

7.6CVSS5.7AI score0.00245EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/05 7:30 p.m.5 views

CVE-2026-28781

Craft is a content management system CMS. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds or authorId parameter into the POST request, which the backend...

7.1CVSS6AI score0.00326EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/03/03 9:0 p.m.7 views

Craft CMS: Entries Authorship Spoofing via Mass Assignment

Description The entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds or authorId parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign...

7.1CVSS6AI score0.00326EPSS
Exploits1References5Affected Software1
SUSE CVE
SUSE CVE
added 2023/02/15 5:36 a.m.2 views

SUSE CVE-2013-4340

wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified userID parameter...

3.5CVSS6.5AI score0.0263EPSS
Exploits2References3
OSV
OSV
added 2013/09/19 9:45 a.m.14 views

MGASA-2013-0285 Updated wordpress and php-phpmailer packages fix security vulnerabilities

wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations CVE-2013-4338. WordPress before 3.6.1 does not properly validate URLs before...

7.5CVSS6AI score0.08749EPSS
Exploits8References4
OSV
OSV
added 2013/09/12 1:30 p.m.7 views

CVE-2013-4340

wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified userID parameter...

5.9AI score
Exploits0References9
Prion
Prion
added 2013/09/12 1:30 p.m.22 views

Code injection

wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified userID parameter...

3.5CVSS6.5AI score0.0263EPSS
Exploits2References7Affected Software1
Debian CVE
Debian CVE
added 2013/09/12 10:0 a.m.24 views

CVE-2013-4340

wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified userID parameter...

3.5CVSS4.7AI score0.0263EPSS
Exploits2
Rows per page
Query Builder