CVE-2021-27902
https://notcve.org/view.php?id=CVE-2021-27902
An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads. Se ha detectado un problema en Craft CMS versiones anteriores a 3.6.0. En algunas circunstancias, se presentaba una potencial vulnerabilidad de tipo XSS en relación con los formularios del front-end que aceptaban las cargas de los usuarios • https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#360---2021-01-26 https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#security-1 https://github.com/craftcms/cms/commit/8ee85a8f03c143fa2420e7d6f311d95cae3b19ce • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-32470
https://notcve.org/view.php?id=CVE-2021-32470
Craft CMS before 3.6.13 has an XSS vulnerability. Un CMS diseñado, versiones anteriores a 3.6.13, presenta una vulnerabilidad de tipo XSS • https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3613---2021-05-04 https://github.com/craftcms/cms/commit/f9378aa154b5f9b64bed3d59cce0c4a8184bf5e6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-19626
https://notcve.org/view.php?id=CVE-2020-19626
Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en craftcms versión 3.1.31, permite a atacantes remotos inyectar un script web o HTML arbitrario, por medio de /admin/settings/sites/new. • http://mayoterry.com/file/cve/XSS_vuluerability_in_Craftcms_3.1.31.pdf https://github.com/craftcms/cms/commit/76a2168b6a5e30144f5c06da4ff264f4eca577ff • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-9757
https://notcve.org/view.php?id=CVE-2020-9757
The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller. El componente Seomatic versiones anteriores a 3.3.0 para Craft CMS permite una Inyección de tipo Server-Side Template y una divulgación de información por medio de datos malformados en el controlador de metacontenedores. • https://github.com/giany/CVE/blob/master/CVE-2020-9757.txt https://github.com/nystudio107/craft-seomatic/blob/v3/CHANGELOG.md https://github.com/nystudio107/craft-seomatic/commit/65ab659cb6c914c7ad671af1e417c0da2431f79b https://github.com/nystudio107/craft-seomatic/commit/a1c2cad7e126132d2442ec8ec8e9ab43df02cc0f • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2019-15929 – Craft CMS Rate Limiting / Brute Force
https://notcve.org/view.php?id=CVE-2019-15929
In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them. En Craft CMS versiones hasta 3.1.7, la petición de contraseña de sesión elevada no estaba siendo limitada como en los formularios de inicio de sesión normales, conllevando a la posibilidad de un intento de fuerza bruta sobre ellos. Craft CMS versions up to 3.1.7 are missing rate limiting on password validations. • http://packetstormsecurity.com/files/155012/Craft-CMS-Rate-Limiting-Brute-Force.html https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#317---2019-01-31 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •