Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Craftcms Subscribe
Filtered by product Craft Cms
Total 28 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-8383 1 Craftcms 1 Craft Cms 2019-10-02 5.0 MEDIUM 5.3 MEDIUM
Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder.
CVE-2018-20465 1 Craftcms 1 Craft Cms 2019-10-02 4.0 MEDIUM 7.2 HIGH
Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field.
CVE-2019-14280 1 Craftcms 1 Craft Cms 2019-09-02 5.0 MEDIUM 5.3 MEDIUM
In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.
CVE-2018-20418 1 Craftcms 1 Craft Cms 2019-03-15 3.5 LOW 4.8 MEDIUM
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
CVE-2017-9516 1 Craftcms 1 Craft Cms 2017-08-12 3.5 LOW 5.4 MEDIUM
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
CVE-2017-8385 1 Craftcms 1 Craft Cms 2017-05-11 5.0 MEDIUM 5.3 MEDIUM
Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.
CVE-2017-8384 1 Craftcms 1 Craft Cms 2017-05-11 4.3 MEDIUM 6.1 MEDIUM
Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.
CVE-2017-8052 1 Craftcms 1 Craft Cms 2017-04-26 4.3 MEDIUM 6.1 MEDIUM
Craft CMS before 2.6.2974 allows XSS attacks.