Filtered by vendor Craftcms
Subscriptions
Filtered by product Craft Cms
Subscriptions
Total
47 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2017-8052 | 1 Craftcms | 1 Craft Cms | 2024-09-16 | N/A |
Craft CMS before 2.6.2974 allows XSS attacks. | ||||
CVE-2024-45406 | 1 Craftcms | 1 Craft Cms | 2024-09-13 | 5.5 Medium |
Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input. | ||||
CVE-2024-41800 | 1 Craftcms | 1 Craft Cms | 2024-08-26 | 4.8 Medium |
Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. This has been patched in Craft 5.2.3. | ||||
CVE-2017-9516 | 1 Craftcms | 1 Craft Cms | 2024-08-05 | N/A |
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file. | ||||
CVE-2017-8383 | 1 Craftcms | 1 Craft Cms | 2024-08-05 | N/A |
Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder. | ||||
CVE-2017-8384 | 1 Craftcms | 1 Craft Cms | 2024-08-05 | N/A |
Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052. | ||||
CVE-2017-8385 | 1 Craftcms | 1 Craft Cms | 2024-08-05 | N/A |
Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message. | ||||
CVE-2018-20465 | 1 Craftcms | 1 Craft Cms | 2024-08-05 | N/A |
Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field. | ||||
CVE-2018-20418 | 1 Craftcms | 1 Craft Cms | 2024-08-05 | N/A |
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab. | ||||
CVE-2018-3814 | 1 Craftcms | 1 Craft Cms | 2024-08-05 | N/A |
Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension. | ||||
CVE-2019-17496 | 1 Craftcms | 1 Craft Cms | 2024-08-05 | 6.1 Medium |
Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion. | ||||
CVE-2019-15929 | 1 Craftcms | 1 Craft Cms | 2024-08-05 | 9.8 Critical |
In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them. | ||||
CVE-2019-14280 | 1 Craftcms | 1 Craft Cms | 2024-08-05 | N/A |
In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public. | ||||
CVE-2019-12823 | 1 Craftcms | 1 Craft Cms | 2024-08-04 | 6.1 Medium |
Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS. | ||||
CVE-2019-9554 | 1 Craftcms | 1 Craft Cms | 2024-08-04 | 6.1 Medium |
In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI. | ||||
CVE-2020-19626 | 1 Craftcms | 1 Craft Cms | 2024-08-04 | 5.4 Medium |
Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new. | ||||
CVE-2020-9757 | 1 Craftcms | 1 Craft Cms | 2024-08-04 | 9.8 Critical |
The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller. | ||||
CVE-2021-41824 | 1 Craftcms | 1 Craft Cms | 2024-08-04 | 8.8 High |
Craft CMS before 3.7.14 allows CSV injection. | ||||
CVE-2021-32470 | 1 Craftcms | 1 Craft Cms | 2024-08-03 | 6.1 Medium |
Craft CMS before 3.6.13 has an XSS vulnerability. | ||||
CVE-2021-27902 | 1 Craftcms | 1 Craft Cms | 2024-08-03 | 6.1 Medium |
An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads. |