Page 2 of 11 results (0.022 seconds)

CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 1

Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7. • https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7 https://github.com/craftcms/cms/releases/tag/4.4.7 https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1

Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. • https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766 https://github.com/craftcms/cms/releases/tag/4.4.6 https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. • https://github.com/craftcms/cms/commit/7655e1009ba6cdbfb230e6bb138b775b69fc7bcb https://www.tenable.com/security/research/tra-2023-20%2C • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1

Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. • https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4. • https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442 https://github.com/craftcms/cms/security/advisories/GHSA-j4mx-98hw-6rv6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •