Lucene search
+L

211 matches found

Veracode
Veracode
added 2024/01/04 7:57 a.m.31 views

Privilege Escalation

craftcms/cms is vulnerable to Privilege Escalation. The vulnerability is due to the actionSave function within ElementsController.php, because there are no checks for save permissions before and after applying POST params to the element, as well as the actionSaveUser function within...

8.8CVSS7.2AI score0.00588EPSS
Exploits0References8Affected Software1
GithubExploit
GithubExploit
added 2023/12/26 6:31 p.m.778 views

Exploit for Code Injection in Craftcms Craft_Cms

Craft CMS CVE-2023-41892 There is a Unauthenticated Remote...

10CVSS9.8AI score0.92918EPSS
Exploits10
Tenable Nessus
Tenable Nessus
added 2023/09/20 12:0 a.m.24 views

CraftCMS 4.x < 4.4.15 Remote Code Execution

CraftCMS version 4.x prior to 4.4.15 is vulnerable to a Remote Code Execution RCE in the action endpoint. No source data...

10CVSS7.9AI score0.92918EPSS
Exploits10References2
Veracode
Veracode
added 2023/08/23 7:16 a.m.55 views

Remote Code Execution (RCE)

craftcms/cms is vulnerable to Remote Code Execution. The vulnerability is due to a lack of file protocol removal in FileHelper.php which allows an attacker to upload and execute malicious PHP code into the system...

7.2CVSS7.7AI score0.01909EPSS
Exploits1References5Affected Software1
CNNVD
CNNVD
added 2023/08/23 12:0 a.m.4 views

CraftCMS 注入漏洞

CraftCMS is a content management system from CraftCMS, Inc. CraftCMS suffers from an injection vulnerability that stems from the fact that bypassing the validatePath function can lead to potential remote code execution, which can be exploited by an attacker to cause malicious control of a...

7.2CVSS7.3AI score0.01909EPSS
Exploits1References5
Veracode
Veracode
added 2023/06/27 9:41 a.m.20 views

Improper Input Validation

craftcms/redactor, is vulnerable to Improper Input Validation. The vulnerability exists because the html is not properly validated which allows an attacker to inject payloads via HTML Injection...

6.1CVSS6.7AI score0.00497EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2023/06/23 4:3 p.m.24 views

Server-Side Template Injection

craftcms/cms is vulnerable to Server-Side Template Injection. The vulnerability exists due to a lack of validation in the User Photo Location Field in User Settings. which allows a remote attacker to inject a trig template, resulting in information disclosure...

7.2CVSS6.6AI score0.02203EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2023/06/20 10:10 a.m.21 views

Cross-Site Scripting (XSS)

craftcms/cms is vulnerable to Cross-Site Scripting XSS. The vulnerability exists due to a lack of sanitization in field names, which allows an attacker to inject and execute arbitrary JavaScript into the browser...

5.4CVSS6.5AI score0.00444EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2023/06/13 6:30 p.m.40 views

GHSA-3X74-V64J-QC3F Withdrawn Advisory: CraftCMS Server-Side Template Injection vulnerability

Withdrawn This advisory has been withdrawn because the CVE has been disputed and the underlying vulnerability is likely invalid. This link is maintained to preserve external references. According to maintainers of Craft CMS, only administrators can access Settings, and those administrators may ha...

7.2CVSS7.2AI score0.02203EPSS
Exploits1References7
Github Security Blog
Github Security Blog
added 2023/06/13 6:30 p.m.23 views

Withdrawn Advisory: CraftCMS Server-Side Template Injection vulnerability

Withdrawn This advisory has been withdrawn because the CVE has been disputed and the underlying vulnerability is likely invalid. This link is maintained to preserve external references. According to maintainers of Craft CMS, only administrators can access Settings, and those administrators may ha...

7.2CVSS7.3AI score0.02203EPSS
Exploits1References7Affected Software1
ATTACKERKB
ATTACKERKB
added 2023/06/13 5:15 p.m.2 views

CVE-2023-30179

CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection SSTI. An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrator...

7.2CVSS7.2AI score0.02203EPSS
Exploits1References5
NVD
NVD
added 2023/06/13 5:15 p.m.16 views

CVE-2023-30179

CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection SSTI. An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrator...

7.2CVSS7.2AI score0.02203EPSS
Exploits1References4
Prion
Prion
added 2023/06/13 5:15 p.m.22 views

Design/Logic Flaw

DISPUTED CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection SSTI. An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only...

5.8CVSS7.2AI score0.02203EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2023/06/13 12:0 a.m.62 views

CVE-2023-30179

CraftCMS is affected by a Server-Side Template Injection (SSTI) in version 3.7.59, where an authenticated user can inject Twig templates into the User Photo Location in User Settings, potentially enabling Remote Code Execution. The root cause cited is lack of input validation for the Twig code in...

7.2CVSS7.2AI score0.02203EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2023/06/13 12:0 a.m.9 views

CVE-2023-30179

CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection SSTI. An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrator...

7.2AI score0.02203EPSS
Exploits1References4
Cvelist
Cvelist
added 2023/06/13 12:0 a.m.23 views

CVE-2023-30179

CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection SSTI. An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrator...

7.4AI score0.02203EPSS
Exploits1References4
CNNVD
CNNVD
added 2023/06/13 12:0 a.m.6 views

CraftCMS 代码注入漏洞

CraftCMS is a content management system from CraftCMS, Inc. A code injection vulnerability exists in CraftCMS version 3.7.59, which stems from susceptibility to a server-side template injection SSTI attack, where an attacker can inject a Twig template into the er Photo Location field when the Use...

7.2CVSS7.4AI score0.02203EPSS
Exploits1References5
OSV
OSV
added 2023/06/13 12:0 a.m.8 views

CVE-2023-30179

CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection SSTI. An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrator...

7.2CVSS7.2AI score0.02203EPSS
Exploits1References6
Veracode
Veracode
added 2023/05/30 10:3 a.m.19 views

Cross-Site Scripting (XSS)

craftcms/cms is vulnerable to Cross-Site Scripting XSS attacks. The library does not properly sanitize user inputs before it outputs to the front end, allowing an attacker to inject and execute malicious javascript through the reviewSession function in AssetIndexer.ts...

5.5CVSS6AI score0.00653EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2023/05/30 9:41 a.m.9 views

Cross-Site Scripting (XSS)

craftcms/cms is vulnerable to Cross-Site Scripting XSS attacks. The library does not properly sanitize user inputs before it output to the front end, allowing an attacker to inject and execute malicious javascript through the save function in QuickPostWidget.js...

4.8CVSS6AI score0.00617EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder