Bolt Security Vulnerabilities and Issues — Bolt CVE List

Lucene search

BoltcmsBolt

7 matches found

CVE•added 2019/08/23 1:15 p.m.•164 views

CVE-2019-15485

Bolt before 3.6.10 has XSS via createFolder or createFile in Controller/Async/FilesystemManager.php.

6.1CVSS6AI score0.00305EPSS

CVE•added 2019/08/23 1:15 p.m.•147 views

CVE-2019-15484

Bolt before 3.6.10 has XSS via an image's alt or title field.

6.1CVSS6AI score0.00305EPSS

CVE•added 2019/03/07 11:29 p.m.•144 views

CVE-2019-9185

Controller/Async/FilesystemManager.php in the filemanager in Bolt before 3.6.5 allows remote attackers to execute arbitrary PHP code by renaming a previously uploaded file to have a .php extension.

8.8CVSS8.9AI score0.01097EPSS

CVE•added 2019/08/23 1:15 p.m.•140 views

CVE-2019-15483

Bolt before 3.6.10 has XSS via a title that is mishandled in the system log.

6.1CVSS5.9AI score0.00223EPSS

CVE•added 2019/12/29 7:15 p.m.•80 views

CVE-2019-20058

Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS because unsanitized search?search= input is shown on the _profiler page. NOTE: this is disputed because profiling was never intended for use in production. This is related to CVE-2018-12040

6.1CVSS5.8AI score0.00328EPSS

CVE•added 2019/12/31 5:15 p.m.•65 views

CVE-2019-9553

Bolt 3.6.4 has XSS via the slug, teaser, or title parameter to editcontent/pages, a related issue to CVE-2017-11128 and CVE-2018-19933.

6.1CVSS5.6AI score0.0305EPSS

CVE•added 2019/04/05 5:29 a.m.•57 views

CVE-2019-10874

Cross Site Request Forgery (CSRF) in the bolt/upload File Upload feature in Bolt CMS 3.6.6 allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the file/edit/config/config.yml configuration file.

8.8CVSS9AI score0.00553EPSS