Craftcms CVE - CVE Search - CVE Details

Filtered by vendor Craftcms Subscribe

Total 28 CVE

CVE	Vendors	Products	Updated	CVSS v2	CVSS v3
CVE-2017-8383	1 Craftcms	1 Craft Cms	2019-10-02	5.0 MEDIUM	5.3 MEDIUM
Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder.
CVE-2018-20465	1 Craftcms	1 Craft Cms	2019-10-02	4.0 MEDIUM	7.2 HIGH
Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field.
CVE-2019-14280	1 Craftcms	1 Craft Cms	2019-09-02	5.0 MEDIUM	5.3 MEDIUM
In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.
CVE-2018-20418	1 Craftcms	1 Craft Cms	2019-03-15	3.5 LOW	4.8 MEDIUM
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
CVE-2017-9516	1 Craftcms	1 Craft Cms	2017-08-12	3.5 LOW	5.4 MEDIUM
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
CVE-2017-8385	1 Craftcms	1 Craft Cms	2017-05-11	5.0 MEDIUM	5.3 MEDIUM
Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.
CVE-2017-8384	1 Craftcms	1 Craft Cms	2017-05-11	4.3 MEDIUM	6.1 MEDIUM
Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.
CVE-2017-8052	1 Craftcms	1 Craft Cms	2017-04-26	4.3 MEDIUM	6.1 MEDIUM
Craft CMS before 2.6.2974 allows XSS attacks.

Vulnerabilities (CVE)