99 matches found
CVE-2023-48701
Statamic CMS (Laravel/Git) suffers a Cross-site Scripting (XSS) via uploaded assets vulnerability (CVE-2023-48701). Before versions 3.4.15 and 4.36.0, HTML files crafted to look like images could be uploaded regardless of MIME validation via front-end Forms assets fields or the authenticated cont...
CVE-2023-48701 Statamic CMS vulnerable to Cross-site Scripting via uploaded assets
Statamic CMS is a Laravel and Git powered content management system CMS. Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or...
PT-2023-30910 · Unknown · Statamic Cms
Name of the Vulnerable Software and Affected Versions: Statamic CMS versions prior to 3.4.15 and 4.36.0 Description: The issue allows HTML files crafted to look like images to be uploaded, bypassing mime validation. This is applicable on front-end forms using the "Forms" feature with an assets...
Remote Code Execution (RCE)
statamic/cms is vulnerable to Remote Code Execution RCE. This vulnerability impacts both front-end forms employing the Forms feature and asset upload fields in the control panel. Malicious actors can exploit this loophole to introduce and execute arbitrary code via uploading image files...
Statamic CMS vulnerable to remote code execution via form uploads
Impact Similar to another advisory, certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel. Patches It has been patched in 3.4.14 and...
GHSA-2R53-9295-3M86 Statamic CMS vulnerable to remote code execution via form uploads
Impact Similar to another advisory, certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel. Patches It has been patched in 3.4.14 and...
CVE-2023-48217
Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fiel...
Input validation
Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fiel...
CVE-2023-48217 Remote code execution via form uploads in statamic/cms
Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fiel...
CVE-2023-48217 Remote code execution via form uploads in statamic/cms
Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fiel...
GHSA-72HG-5WR5-RMFC Statamic CMS remote code execution via front-end form uploads
Impact On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just any arbitrary form. This does not affect the control panel. Patches It has been patched i...
Statamic CMS remote code execution via front-end form uploads
Impact On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just any arbitrary form. This does not affect the control panel. Patches It has been patched i...
CVE-2023-47129 Statamic CMS remote code execution via front-end form uploads
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just any arbitrary form. This...
CVE-2023-47129 Statamic CMS remote code execution via front-end form uploads
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just any arbitrary form. This...
Cross-Site Scripting (XSS)
statamic/cms is vulnerable to Cross-Site Scripting XSS. The vulnerability exists in the index function at Svg.php because the SVG tag does not sanitize malicious SVG which allows an attacker to inject and execute arbitrary JavaScript...
Information Disclosure
statamic/cms is vulnerable to information disclosure. The vulnerability exists because it allows to filer a user by password hash which allows an attacker to gain access to sensitive information using a specially crafted regular expression filter in the users endpoint of REST API...
CVE-2022-24784
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire...
CVE-2022-24784 Discoverability of user password hash in Statamic CMS
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire...
CVE-2022-24784 Discoverability of user password hash in Statamic CMS
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire...