Vulnerabilities (CVE)

Filtered by vendor Craftcms Subscribe
Total 50 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-37251 1 Craftcms 1 Craft Cms 2024-11-21 N/A 5.4 MEDIUM
Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via Drafts.
CVE-2022-37250 1 Craftcms 1 Craft Cms 2024-11-21 N/A 5.4 MEDIUM
Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount.
CVE-2022-37248 1 Craftcms 1 Craft Cms 2024-11-21 N/A 5.4 MEDIUM
Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via src/helpers/Cp.php.
CVE-2022-37247 1 Craftcms 1 Craft Cms 2024-11-21 N/A 5.4 MEDIUM
Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields page.
CVE-2022-37246 1 Craftcms 1 Craft Cms 2024-11-21 N/A 5.4 MEDIUM
Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label.
CVE-2022-29933 1 Craftcms 1 Craft Cms 2024-11-21 6.8 MEDIUM 8.8 HIGH
Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).
CVE-2022-28378 1 Craftcms 1 Craft Cms 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Craft CMS before 3.7.29 allows XSS.
CVE-2021-41824 1 Craftcms 1 Craft Cms 2024-11-21 6.8 MEDIUM 8.8 HIGH
Craft CMS before 3.7.14 allows CSV injection.
CVE-2021-32470 1 Craftcms 1 Craft Cms 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Craft CMS before 3.6.13 has an XSS vulnerability.
CVE-2021-27903 1 Craftcms 1 Craft Cms 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session).
CVE-2021-27902 1 Craftcms 1 Craft Cms 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.
CVE-2020-9757 1 Craftcms 1 Craft Cms 2024-11-21 7.5 HIGH 9.8 CRITICAL
The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
CVE-2020-19626 1 Craftcms 1 Craft Cms 2024-11-21 3.5 LOW 5.4 MEDIUM
Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
CVE-2019-9554 1 Craftcms 1 Craft Cms 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI.
CVE-2019-17496 1 Craftcms 1 Craft Cms 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion.
CVE-2019-15929 1 Craftcms 1 Craft Cms 2024-11-21 5.0 MEDIUM 9.8 CRITICAL
In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.
CVE-2019-14280 1 Craftcms 1 Craft Cms 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.
CVE-2019-12823 1 Craftcms 1 Craft Cms 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS.
CVE-2018-3814 1 Craftcms 1 Craft Cms 2024-11-21 6.5 MEDIUM 8.8 HIGH
Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension.
CVE-2018-20465 1 Craftcms 1 Craft Cms 2024-11-21 4.0 MEDIUM 7.2 HIGH
Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field.