CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-24784 – Discoverability of user password hash in Statamic CMS
https://notcve.org/view.php?id=CVE-2022-24784
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire hash. The hash is not present in the response, however the presence or absence of a result confirms if the character is in the right position. The API has throttling enabled by default, making this a time intensive task. • https://github.com/statamic/cms/issues/5604 https://github.com/statamic/cms/pull/5568 https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-45364
https://notcve.org/view.php?id=CVE-2021-45364
A Code Execution vulnerability exists in Statamic Version through 3.2.26 via SettingsController.php. NOTE: the vendor indicates that there was an error in publishing this CVE Record, and that all parties agree that the affected code was not used in any Statamic product ** EN DISPUTA ** Se presenta una vulnerabilidad de Ejecución de Código en Statamic versiones hasta 3.2.26 por medio del archivo SettingsController.php NOTA: el proveedor indica que hubo un error al publicar este Registro CVE y que todas las partes están de acuerdo en que el código afectado no se usó en ningún producto de Statamic • https://github.com/Stakcery/Web-Security/issues/2 •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19598
https://notcve.org/view.php?id=CVE-2018-19598
Statamic 2.10.3 allows XSS via First Name or Last Name to the /users URI in an 'Add new user' request. Statamic 2.10.3 permite Cross-Site Scripting (XSS) mediante "First Name" o "Last Name" en el URI /users en una petición "Add new user". • https://github.com/security-breachlock/CVE-2018-19598/blob/master/Static%20cms.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •