Craft Cms

craft_cms

Vendor: Craftcms • 97 CVEs

CVEs (97)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-27902 1Craftcms 1Craft Cms Nov 21, 2024 Jun 30, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.
CVE-2021-32470 1Craftcms 1Craft Cms Nov 21, 2024 May 7, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Craft CMS before 3.6.13 has an XSS vulnerability.
CVE-2020-19626 1Craftcms 1Craft Cms Nov 21, 2024 Mar 26, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
CVE-2020-9757 1Craftcms 1Craft Cms Nov 21, 2024 Mar 4, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
CVE-2019-9554 1Craftcms 1Craft Cms Nov 21, 2024 Dec 31, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI.
CVE-2019-15929 1Craftcms 1Craft Cms Nov 21, 2024 Oct 24, 2019 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.
CVE-2019-17496 1Craftcms 1Craft Cms Nov 21, 2024 Oct 11, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion.
CVE-2019-14280 1Craftcms 1Craft Cms Nov 21, 2024 Jul 26, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.
CVE-2019-12823 1Craftcms 1Craft Cms Nov 21, 2024 Jun 18, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS.
CVE-2018-20465 1Craftcms 1Craft Cms Nov 21, 2024 Dec 25, 2018 N/A· v4 7.2 HIGH· v3 4.0 MEDIUM· v2 Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.pa...Show more Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field.Show less
CVE-2018-20418 1Craftcms 1Craft Cms Nov 21, 2024 Dec 24, 2018 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
CVE-2018-3814 1Craftcms 1Craft Cms Nov 21, 2024 Jan 1, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be...Show more Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension.Show less
CVE-2017-9516 1Craftcms 1Craft Cms May 13, 2026 Jun 8, 2017 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
CVE-2017-8385 1Craftcms 1Craft Cms May 13, 2026 May 1, 2017 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.
CVE-2017-8384 1Craftcms 1Craft Cms May 13, 2026 May 1, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for...Show more Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.Show less
CVE-2017-8383 1Craftcms 1Craft Cms May 13, 2026 May 1, 2017 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder.
CVE-2017-8052 1Craftcms 1Craft Cms May 13, 2026 Apr 22, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Craft CMS before 2.6.2974 allows XSS attacks.

Previous 1 2 3 45