CVE-2021-23265 – Improper Privilege Management in Crafter Studio
https://notcve.org/view.php?id=CVE-2021-23265
A logged-in and authenticated user with a Reviewer Role may lock a content item. Un usuario conectado y autenticado con un rol de revisor puede bloquear un elemento de contenido • https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601 • CWE-269: Improper Privilege Management •
CVE-2021-23264 – Transmission of Private Resources into a New Sphere ('Resource Leak') and Exposure of Resource to Wrong Sphere in Crafter Search
https://notcve.org/view.php?id=CVE-2021-23264
Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes. Las instalaciones en las que crafter-search no está protegido permiten a atacantes remotos no autenticados crear, visualizar y eliminar índices de búsqueda • https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107 • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2021-23263 – Transmission of Private Resources into a New Sphere ('Resource Leak') in Crafter Engine
https://notcve.org/view.php?id=CVE-2021-23263
Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary). Los atacantes remotos no autenticados pueden leer contenido textual por medio de FreeMarker incluyendo los archivos /scripts/*, /templates/* y algunos de los archivos en /.git/* (no binarios) • https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106 • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2021-23262 – Snakeyaml deserialization vulnerability bypass
https://notcve.org/view.php?id=CVE-2021-23262
Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE. Los administradores autenticados pueden modificar el archivo principal de configuración YAML y cargar una clase Java que resulte en RCE • https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120105 • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVE-2021-23261 – Overriding the system configuration file causes a denial of service
https://notcve.org/view.php?id=CVE-2021-23261
Authenticated administrators may override the system configuration file and cause a denial of service. Los administradores autenticados pueden anular el archivo de configuración del sistema y causar una denegación de servicio • https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120104 • CWE-703: Improper Check or Handling of Exceptional Conditions •