CVE-2021-23260 – Stored XSS Vulnerability in File Name of the File Upload function
https://notcve.org/view.php?id=CVE-2021-23260
Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site. Los usuarios autenticados con roles de Sitio pueden inyectar scripts de tipo XSS por medio de nombres de archivos que serán ejecutados en el navegador para este y otros usuarios del mismo sitio • https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120103 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-23259 – Groovy Sandbox Bypass
https://notcve.org/view.php?id=CVE-2021-23259
Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE). Los usuarios autenticados con roles de Administrador o Desarrollador pueden ejecutar comandos del sistema operativo mediante el Script Groovy que usa Groovy lib para renderizar una página web. El script groovy no presenta restricciones de seguridad, lo que causará que atacantes ejecuten comandos arbitrarios de forma remota (RCE) • https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120102 • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVE-2021-23258 – Spring SPEL Expression Language Injection
https://notcve.org/view.php?id=CVE-2021-23258
Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE). Los usuarios autenticados con roles de Administrador o Desarrollador pueden ejecutar comandos del SO mediante SPEL Expression en Spring beans. SPEL Expression no presenta restricciones de seguridad, lo que causará que atacantes ejecuten comandos arbitrarios de forma remota (RCE) • https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120101 • CWE-913: Improper Control of Dynamically-Managed Code Resources •