Total
28 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-23927 | 1 Craftcms | 1 Craft Cms | 2023-03-10 | N/A | 5.4 MEDIUM |
| Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7. | |||||
| CVE-2022-37783 | 1 Craftcms | 1 Craft Cms | 2023-02-15 | N/A | 7.5 HIGH |
| All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework. | |||||
| CVE-2022-37246 | 1 Craftcms | 1 Craft Cms | 2022-09-22 | N/A | 5.4 MEDIUM |
| Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label. | |||||
| CVE-2022-37247 | 1 Craftcms | 1 Craft Cms | 2022-09-21 | N/A | 5.4 MEDIUM |
| Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields page. | |||||
| CVE-2022-37251 | 1 Craftcms | 1 Craft Cms | 2022-09-21 | N/A | 5.4 MEDIUM |
| Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via Drafts. | |||||
| CVE-2022-37248 | 1 Craftcms | 1 Craft Cms | 2022-09-16 | N/A | 5.4 MEDIUM |
| Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via src/helpers/Cp.php. | |||||
| CVE-2022-37250 | 1 Craftcms | 1 Craft Cms | 2022-09-16 | N/A | 5.4 MEDIUM |
| Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount. | |||||
| CVE-2021-27903 | 1 Craftcms | 1 Craft Cms | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session). | |||||
| CVE-2022-29933 | 1 Craftcms | 1 Craft Cms | 2022-05-18 | 6.8 MEDIUM | 8.8 HIGH |
| Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration). | |||||
| CVE-2020-9757 | 1 Craftcms | 1 Craft Cms | 2022-04-26 | 7.5 HIGH | 9.8 CRITICAL |
| The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller. | |||||
| CVE-2022-28378 | 1 Craftcms | 1 Craft Cms | 2022-04-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Craft CMS before 3.7.29 allows XSS. | |||||
| CVE-2021-41824 | 1 Craftcms | 1 Craft Cms | 2021-11-30 | 6.8 MEDIUM | 8.8 HIGH |
| Craft CMS before 3.7.14 allows CSV injection. | |||||
| CVE-2019-12823 | 1 Craftcms | 1 Craft Cms | 2021-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS. | |||||
| CVE-2021-27902 | 1 Craftcms | 1 Craft Cms | 2021-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads. | |||||
| CVE-2021-32470 | 1 Craftcms | 1 Craft Cms | 2021-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Craft CMS before 3.6.13 has an XSS vulnerability. | |||||
| CVE-2020-19626 | 1 Craftcms | 1 Craft Cms | 2021-03-26 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new. | |||||
| CVE-2018-3814 | 1 Craftcms | 1 Craft Cms | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension. | |||||
| CVE-2019-9554 | 1 Craftcms | 1 Craft Cms | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI. | |||||
| CVE-2019-15929 | 1 Craftcms | 1 Craft Cms | 2019-10-30 | 5.0 MEDIUM | 9.8 CRITICAL |
| In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them. | |||||
| CVE-2019-17496 | 1 Craftcms | 1 Craft Cms | 2019-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion. | |||||