Crafter Cms Security Vulnerabilities and Issues — Crafter Cms CVE List

Lucene search

CraftercmsCrafter Cms

7 matches found

CVE•added 2021/12/02 4:15 p.m.•46 views

CVE-2021-23264

Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.

9.1CVSS8.8AI score0.01086EPSS

CVE•added 2021/12/02 4:15 p.m.•29 views

CVE-2021-23263

Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/, /templates/ and some of the files in /.git/* (non-binary).

7.5CVSS6.5AI score0.01112EPSS

CVE•added 2021/12/02 4:15 p.m.•26 views

CVE-2021-23260

Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site.

6.5CVSS5.5AI score0.0079EPSS

CVE•added 2021/12/02 4:15 p.m.•23 views

CVE-2021-23258

Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE).

7.2CVSS6.3AI score0.00292EPSS

CVE•added 2021/12/02 4:15 p.m.•21 views

CVE-2021-23259

Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE).

7.2CVSS6.3AI score0.00391EPSS

CVE•added 2021/12/02 4:15 p.m.•21 views

CVE-2021-23262

Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE.

7.2CVSS5.5AI score0.0055EPSS

CVE•added 2021/12/02 4:15 p.m.•17 views

CVE-2021-23261

Authenticated administrators may override the system configuration file and cause a denial of service.

4.9CVSS4.9AI score0.00373EPSS