CVSS: 9.8EPSS: 69%CPEs: 1EXPL: 1CVE-2024-37843
https://notcve.org/view.php?id=CVE-2024-37843
Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint. Se descubrió que Craft CMS hasta v3.7.31 contenía una vulnerabilidad de inyección SQL a través del endpoint de la API GraphQL. • https://github.com/gsmith257-cyber/CVE-2024-37843-POC https://blog.smithsecurity.biz/craft-cms-unauthenticated-sqli-via-graphql • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36259
https://notcve.org/view.php?id=CVE-2023-36259
Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation. Una vulnerabilidad de Cross Site Scripting (XSS) en Craft CMS Audit Plugin anterior a la versión 3.0.2 permite a los atacantes ejecutar código arbitrario durante la creación de usuarios. • https://github.com/sjelfull/craft-audit/pull/73 https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36260
https://notcve.org/view.php?id=CVE-2023-36260
An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about code provided by the Craft CMS product; it is only a report about the Feed Me plugin. NOTE: a third-party report states that commit b5d6ede51848349bd91bc95fec288b6793f15e28 has "nothing to do with security." Un problema descubierto en Craft CMS versión 4.6.1. permite a atacantes remotos provocar una denegación de servicio (DoS) a través de una cadena manipulada en los campos Feed-Me Name y Feed-Me URL debido a que se guarda un feed utilizando un tipo de elemento Asset sin volumen seleccionado. • https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28 https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29 https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21622 – Craft CMS Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-21622
Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions. Craft es un sistema de gestión de contenidos. • https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16 https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16 https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843 https://github.com/craftcms/cms/pull/13931 https://github.com/craftcms/cms/pull/13932 https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 89%CPEs: 1EXPL: 4CVE-2023-41892 – Craft CMS Remote Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2023-41892
Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15. Craft CMS es una plataforma para crear experiencias digitales. • https://github.com/zaenhaxor/CVE-2023-41892 https://github.com/acesoyeo/CVE-2023-41892 https://github.com/CERTologists/HTTP-Request-for-PHP-object-injection-attack-on-CVE-2023-41892 http://packetstormsecurity.com/files/176303/Craft-CMS-4.4.14-Remote-Code-Execution.html https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857 https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e h • CWE-94: Improper Control of Generation of Code ('Code Injection') •