CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 1CVE-2023-40035 – Craft CMS vulnerable to Remote Code Execution via validatePath bypass
https://notcve.org/view.php?id=CVE-2023-40035
Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution). This issue has been patched in version 4.4.15 and version 3.8.15. • https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5 https://github.com/craftcms/cms/releases/tag/3.8.15 https://github.com/craftcms/cms/releases/tag/4.4.15 https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33495
https://notcve.org/view.php?id=CVE-2023-33495
Craft CMS through 4.4.9 is vulnerable to HTML Injection. • https://medium.com/%40mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212 https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30179
https://notcve.org/view.php?id=CVE-2023-30179
CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrators are allowed to do that by default. • https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14 https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714 https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33195 – Craft CMS XSS in RSS widget feed
https://notcve.org/view.php?id=CVE-2023-33195
Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6. • https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f https://github.com/craftcms/cms/releases/tag/4.4.6 https://github.com/craftcms/cms/security/advisories/GHSA-qpgm-gjgf-8c2x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 6EXPL: 1CVE-2023-33194 – CraftCMS stored XSS in Quick Post widget error message
https://notcve.org/view.php?id=CVE-2023-33194
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6. • https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888 https://github.com/craftcms/cms/releases/tag/4.4.6 https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •