Page 4 of 52 results (0.008 seconds)

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1

CVE-2022-37250

https://notcve.org/view.php?id=CVE-2022-37250

16 Sep 2022 — Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount. Craft CMS versión 4.2.0.1, sufre de un ataque de tipo Cross Site Scripting (XSS) Almacenado en /admin/myaccount • https://github.com/craftcms/cms/commit/cdc9cb66d0716c9552e4113c8e426fd1a31f9516 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 3

CVE-2022-29933 – Craft CMS 3.7.36 Password Reset Poisoning Attack

https://notcve.org/view.php?id=CVE-2022-29933

06 May 2022 — Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not us... • https://packetstorm.news/files/id/166989 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-28378

https://notcve.org/view.php?id=CVE-2022-28378

03 Apr 2022 — Craft CMS before 3.7.29 allows XSS. Craft CMS versiones anteriores a 3.7.29 permite una vulnerabilidad de tipo XSS • https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3729---2022-01-18 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-41824

https://notcve.org/view.php?id=CVE-2021-41824

29 Sep 2021 — Craft CMS before 3.7.14 allows CSV injection. Craft CMS versiones anteriores a 3.7.14 permite una inyección de CSV • https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3714---2021-09-28 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •

CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 0

CVE-2021-27903

https://notcve.org/view.php?id=CVE-2021-27903

30 Jun 2021 — An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session). Se ha detectado un problema en Craft CMS versiones anteriores a 3.6.7. En algunas circunstancias, se presentaba una potencial vulnerabilidad de ejecución de código remota en sitios que no restringían los cambios administrativos (si un atacante era capaz d... • https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#367---2021-02-23 • CWE-862: Missing Authorization •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-27902

https://notcve.org/view.php?id=CVE-2021-27902

30 Jun 2021 — An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads. Se ha detectado un problema en Craft CMS versiones anteriores a 3.6.0. En algunas circunstancias, se presentaba una potencial vulnerabilidad de tipo XSS en relación con los formularios del front-end que aceptaban las cargas de los usuarios • https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#360---2021-01-26 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-32470

https://notcve.org/view.php?id=CVE-2021-32470

07 May 2021 — Craft CMS before 3.6.13 has an XSS vulnerability. Un CMS diseñado, versiones anteriores a 3.6.13, presenta una vulnerabilidad de tipo XSS • https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3613---2021-05-04 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

CVE-2020-19626

https://notcve.org/view.php?id=CVE-2020-19626

26 Mar 2021 — Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en craftcms versión 3.1.31, permite a atacantes remotos inyectar un script web o HTML arbitrario, por medio de /admin/settings/sites/new. • http://mayoterry.com/file/cve/XSS_vuluerability_in_Craftcms_3.1.31.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 93%CPEs: 1EXPL: 1

CVE-2020-9757

https://notcve.org/view.php?id=CVE-2020-9757

04 Mar 2020 — The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller. El componente Seomatic versiones anteriores a 3.3.0 para Craft CMS permite una Inyección de tipo Server-Side Template y una divulgación de información por medio de datos malformados en el controlador de metacontenedores. • https://github.com/giany/CVE/blob/master/CVE-2020-9757.txt • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

CVE-2019-15929 – Craft CMS Rate Limiting / Brute Force

https://notcve.org/view.php?id=CVE-2019-15929

24 Oct 2019 — In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them. En Craft CMS versiones hasta 3.1.7, la petición de contraseña de sesión elevada no estaba siendo limitada como en los formularios de inicio de sesión normales, conllevando a la posibilidad de un intento de fuerza bruta sobre ellos. Craft CMS versions up to 3.1.7 are missing rate limiting on password validations. • https://packetstorm.news/files/id/155012 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •