CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-17496
https://notcve.org/view.php?id=CVE-2019-17496
10 Oct 2019 — Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion. Craft CMS versiones anteriores a la verisón 3.3.8, tiene una vulnerabilidad de tipo XSS almacenado por medio de un campo name. Este campo es manejado inapropiadamente durante la eliminación del sitio • https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#338---2019-10-09 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 15%CPEs: 2EXPL: 2CVE-2019-14280 – Craft CMS 2.7.9/3.2.5 - Information Disclosure
https://notcve.org/view.php?id=CVE-2019-14280
26 Jul 2019 — In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public. En algunas circunstancias, Craft versiones 2 anteriores a 2.7.10 y versiones 3 anteriores a 3.2.6, no estaba eliminando los datos EXIF ??de las imágenes subidas por el usuario cuando estaba configurado para hacerlo, lo que expone potencialmente al público los datos personales y de geolocalización. C... • https://packetstorm.news/files/id/154276 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12823
https://notcve.org/view.php?id=CVE-2019-12823
18 Jun 2019 — Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS. Craft CMS antes de la versión 3.1.31 no filtra correctamente los feeds XML y por lo tanto permite XSS • https://github.com/craftcms/cms/blob/master/CHANGELOG-v3.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 3CVE-2019-9554 – Craft CMS 3.1.12 Pro - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-9554
04 Mar 2019 — In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI. En la versión 3.1.12 Pro de Craft CMS, se descubrió una vulnerabilidad de tipo XSS en el campo de inserción del encabezado cuando se agrega el código fuente en un URI s/admin/entries/news/new. Craft CMS version 3.1.12 Pro suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/151944 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20465
https://notcve.org/view.php?id=CVE-2018-20465
25 Dec 2018 — Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field. Craft CMS, hasta la versión 3.0.34, permite que administradores autenticados remotos lean información sensible mediante una inyección de plantillas del lado del servi... • https://github.com/craftcms/cms/blob/master/CHANGELOG-v3.md • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 4CVE-2018-20418 – Craft CMS 3.0.25 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-20418
24 Dec 2018 — index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab. index.php?p=admin/actions/entries/save-entry en Craft CMS 3.0.25 permite Cross-Site Scripting (XSS) mediante el guardado de un nuevo título de la pestaña de la consola. Craft CMS version 3.0.25 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/150920 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-3814
https://notcve.org/view.php?id=CVE-2018-3814
01 Jan 2018 — Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension. Craft CMS 2.6.3000 permite que los atacantes remotos ejecuten código PHP arbitrario utilizando la pantalla "Assets->Upload files" y luego la opción "Replace it", ya que esto permite que un archivo .jpg tenga código PHP incrustado y que luego se renombre a una ex... • https://github.com/Snowty/myCVE/blob/master/CraftCMS-2.6.3000/README.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2017-9516 – Craft CMS 2.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-9516
08 Jun 2017 — Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file. Craft CMS anterior a versión 2.6.2982, permite un potencial vector de ataque de tipo XSS cargando un archivo SVG malicioso. • https://www.exploit-db.com/exploits/42143 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8383
https://notcve.org/view.php?id=CVE-2017-8383
01 May 2017 — Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder. Craft CMS en versiones anteriores a la 2.6.2976, no restringe de forma apropiada la visualización de los contenidos de los ficheros situados en el directorio craft/app/. • https://craftcms.com/changelog#2-6-2976 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8384
https://notcve.org/view.php?id=CVE-2017-8384
01 May 2017 — Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052. Craft CMS en versiones anteriores a la 2.6.2976 permite un ataque de tipo XSS, debido a que una matriz devuelta por HttpRequestService::getSegments() y getActionSegments() necesita no ser zero-based. Esta vulnerabilidad existe debido a una incompleta corrección de la vulnerab... • https://craftcms.com/changelog#2-6-2976 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •