OXID eShop May Display User Information

An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty syntax error...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure due to the improper handling of Smarty syntax errors in CMS pages. An attacker can expose sensitive user information by inducing a Smarty syntax error in a CMS page. Note: The official vendor's hotfix for this issue...

CVE-2024-56526

An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty syntax error...

CVE-2024-56526

An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty syntax error...

CVE-2024-56526

An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty syntax error...

CVE-2024-56526

CVE-2024-56526 affects OXID eShop prior to version 7. A CMS page that uses Smarty may display user information if the CMS page contains a Smarty syntax error, leading to information exposure. The issue is documented across multiple connected feeds (Red Hat, GHSA, Snyk, PT Security, CNNVD, etc.). ...

Server-Side Template Injection (SSTI)

wintercms/winter is vulnerable to Server-side Template Injection SSTI. The vulnerability is due to insufficient input validation, allowing an admin authenticated remote attacker to execute arbitrary code by injecting a crafted payload into the CMS Pages field and Plugin components...

Winter CMS Server-Side Template Injection (SSTI) vulnerability

Server-side Template Injection SSTI vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components...

GHSA-8R5J-GM3J-CX9C Winter CMS Server-Side Template Injection (SSTI) vulnerability

Server-side Template Injection SSTI vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components...

CVE-2024-29686

CVE-2024-29686 describes a Server-side Template Injection (SSTI) in Winter CMS v1.2.3. The vulnerability allows a remote attacker to execute arbitrary code via a crafted payload in the CMS Pages field and Plugin components. Some sources note this could be exploited by an authenticated/admin user ...

CVE-2024-29686

Server-side Template Injection SSTI vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted user, such as the...

PT-2024-22962 · Unknown · Winter Cms

Name of the Vulnerable Software and Affected Versions: Winter CMS version 1.2.3 Description: A Server-side Template Injection SSTI issue allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. The vendor disputes this vulnerability,...

BIT-MAGENTO-2020-24404 Incorrect permissions in Integrations component could lead to unauthorized deletion of cmsPages via REST API

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization...

PT-2023-29217 · October · October

Name of the Vulnerable Software and Affected Versions: October versions prior to 3.4.15 Description: The issue allows an authenticated backend user with the editor.cms pages, editor.cms layouts, or editor.cms partials permissions to write specific Twig code and execute arbitrary PHP, despite...

Magento 2 Community Edition vulnerable to Improper Authorization

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization...

OpenMage Magento Lts Injection Vulnerability

OpenMage Magento Lts is an e-commerce system organized by OpenMage. A security vulnerability exists in OpenMage Magento Lts before versions 19.4.10 and 20.0.5, which originates from the fact that an administrator with privileges to import and export data and edit cms pages can inject executable...

CVE-2020-26295

OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml. The latest OpenMage Versions up from 19.4.9 an...

CVE-2020-26295

OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml. The latest OpenMage Versions up from 19.4.9 an...

CVE-2020-26295 CMS Editor code execution

OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml. The latest OpenMage Versions up from 19.4.9 an...

CVE-2020-24404

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization...