CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 0CVE-2017-15684
https://notcve.org/view.php?id=CVE-2017-15684
27 Nov 2020 — Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system. Crafter CMS Crafter Studio versión 3.0.1, presenta una vulnerabilidad de salto de directorios que permite a atacantes no autenticados visualizar archivos del sistema operativo • http://crafter.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.6EPSS: 2%CPEs: 1EXPL: 0CVE-2017-15685
https://notcve.org/view.php?id=CVE-2017-15685
27 Nov 2020 — Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band. Crafter CMS Crafter Studio versión 3.0.1, está afectado por: un ataque de tipo XML External Entity (XXE). Un atacante no autenticado es capaz de crear un sitio con XML especialmente diseñado que permite la recuperación de archivos del Sistema Operativo fuera de banda • http://crafter.com • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15686
https://notcve.org/view.php?id=CVE-2017-15686
27 Nov 2020 — Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies. Crafter CMS Crafter Studio versión 3.0.1, está afectado por: una vulnerabilidad de tipo Cross Site Scripting (XSS), que permite a atacantes remotos robar las cookies de unos usuarios • https://docs.craftercms.org/en/3.0/security/advisory.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-25803 – Authenticated attackers with developer privileges in Crafter Studio may execute OS commands via deep inspection of FreeMarker template exposed objects.
https://notcve.org/view.php?id=CVE-2020-25803
06 Oct 2020 — Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker template exposed objects. This issue affects: Crafter Software Crafter CMS 3.0 versions prior to 3.0.27; 3.1 versions prior to 3.1.7. Una vulnerabilidad de Control Inapropiado de los Recursos de Código Administrados Dinámicamente en Crafter Studio de Crafter CMS, permite a los desarrolladores autenticados ejecutar comandos de Sistema Oper... • https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2020080102 • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-25802 – Authenticated attackers with developer privileges in Crafter Studio may execute OS commands via Groovy scripting.
https://notcve.org/view.php?id=CVE-2020-25802
06 Oct 2020 — Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy scripting. This issue affects: Crafter Software Crafter CMS 3.0 versions prior to 3.0.27; 3.1 versions prior to 3.1.7. Una vulnerabilidad de Control Inapropiado de Recursos de Código Administrado Dinámicamente en Crafter Studio de Crafter CMS, permite a desarrolladores autenticados ejecutar comandos de Sistema Operativo por medio de scripting... • https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2020080101 • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19907
https://notcve.org/view.php?id=CVE-2018-19907
06 Dec 2018 — A Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Attackers with developer privileges may execute OS commands by Creating/Editing a template file (.ftl filetype) that triggers a call to freemarker.template.utility.Execute in the FreeMarker library during rendering of a web page. Se ha descubierto un problema de inyección de plantillas del lado del servidor en Crafter CMS 3.0.18. Los atacantes con privilegios de desarrollador podrían ejecutar comandos del sistema operativo creando/... • https://github.com/craftercms/craftercms/issues/2677 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •