Craft Cms@* Security Vulnerabilities and Issues — Craft Cms@* CVE List

Lucene search

CraftcmsCraft Cms*

10 matches found

CVE•added 2024/12/18 9:15 p.m.•3530 views

CVE-2024-56145

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has register_argc_argv enabled. For these users an unspecified remote code execution vector is present. ...

9.8CVSS7.4AI score0.94029EPSS

CVE•added 2024/01/03 5:15 p.m.•218 views

CVE-2024-21622

Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure...

8.8CVSS8.7AI score0.00103EPSS

CVE•added 2024/06/25 9:15 p.m.•89 views

CVE-2024-37843

Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.

9.8CVSS7.9AI score0.82214EPSS

CVE•added 2024/11/13 4:15 p.m.•51 views

CVE-2024-52293

Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.

7.2CVSS6.9AI score0.04101EPSS

CVE•added 2024/09/09 5:15 p.m.•45 views

CVE-2024-45406

Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.

5.5CVSS5AI score0.00188EPSS

CVE•added 2024/01/30 9:15 a.m.•44 views

CVE-2023-36259

Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation.

5.4CVSS5.4AI score0.00087EPSS

CVE•added 2024/01/30 9:15 a.m.•44 views

CVE-2023-36260

An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about cod...

7.5CVSS7.5AI score0.00233EPSS

CVE•added 2024/07/25 5:15 p.m.•42 views

CVE-2024-41800

Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. This h...

7.5CVSS5AI score0.00075EPSS

CVE•added 2024/11/13 5:15 p.m.•42 views

CVE-2024-52292

Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By embedding this function wi...

7.7CVSS6.7AI score0.00108EPSS

CVE•added 2024/11/13 5:15 p.m.•40 views

CVE-2024-52291

Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to potential file overw...

8.4CVSS7.8AI score0.00202EPSS