Page 2 of 9 results (0.004 seconds)

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0

Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire hash. The hash is not present in the response, however the presence or absence of a result confirms if the character is in the right position. The API has throttling enabled by default, making this a time intensive task. • https://github.com/statamic/cms/issues/5604 https://github.com/statamic/cms/pull/5568 https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

A Code Execution vulnerability exists in Statamic Version through 3.2.26 via SettingsController.php. NOTE: the vendor indicates that there was an error in publishing this CVE Record, and that all parties agree that the affected code was not used in any Statamic product ** EN DISPUTA ** Se presenta una vulnerabilidad de Ejecución de Código en Statamic versiones hasta 3.2.26 por medio del archivo SettingsController.php NOTA: el proveedor indica que hubo un error al publicar este Registro CVE y que todas las partes están de acuerdo en que el código afectado no se usó en ningún producto de Statamic • https://github.com/Stakcery/Web-Security/issues/2 •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

Statamic 2.10.3 allows XSS via First Name or Last Name to the /users URI in an 'Add new user' request. Statamic 2.10.3 permite Cross-Site Scripting (XSS) mediante "First Name" o "Last Name" en el URI /users en una petición "Add new user". • https://github.com/security-breachlock/CVE-2018-19598/blob/master/Static%20cms.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Statamic framework before 2.6.0 does not correctly check a session's permissions when the methods from a user's class are called. Problematic methods include reset password, create new account, create new role, etc. Statamic framework anterior a la versión 2.6.0, no comprueba correctamente los permisos de sesión cuando son llamados los métodos de una clase de usuario. Los métodos problemáticos incluyen restablecer la contraseña, crear nueva cuenta, crear nuevo rol, etc. • https://gist.github.com/rambo691/3714c8c09cf894d574d37c294711c49e • CWE-732: Incorrect Permission Assignment for Critical Resource •