CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36260
https://notcve.org/view.php?id=CVE-2023-36260
30 Jan 2024 — An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about code provided by the Craft CMS product; it is only a report about the Feed Me plugin. NOTE: a third-party report states that commit b5d6ede51848349bd91bc95fec288b6793f15e28 has "nothing to do with security." Un probl... • https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21622 – Craft CMS Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-21622
03 Jan 2024 — Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions. Craft es un sistema de gestión de contenidos. • https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16 • CWE-269: Improper Privilege Management •
CVSS: 8.3EPSS: 0%CPEs: 3EXPL: 1CVE-2023-40035 – Craft CMS vulnerable to Remote Code Execution via validatePath bypass
https://notcve.org/view.php?id=CVE-2023-40035
23 Aug 2023 — Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution). This issue has been patched in version 4.4.15 and version 3.8.15. • https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33495
https://notcve.org/view.php?id=CVE-2023-33495
20 Jun 2023 — Craft CMS through 4.4.9 is vulnerable to HTML Injection. • https://medium.com/%40mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 6EXPL: 1CVE-2023-33194 – CraftCMS stored XSS in Quick Post widget error message
https://notcve.org/view.php?id=CVE-2023-33194
26 May 2023 — Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6. • https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 1CVE-2023-33196 – Craft CMS stored XSS in review volume
https://notcve.org/view.php?id=CVE-2023-33196
26 May 2023 — Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7. • https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33197 – Craft CMS stored XSS in indexedVolumes
https://notcve.org/view.php?id=CVE-2023-33197
26 May 2023 — Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. • https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2817
https://notcve.org/view.php?id=CVE-2023-2817
26 May 2023 — A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. • https://github.com/craftcms/cms/commit/7655e1009ba6cdbfb230e6bb138b775b69fc7bcb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 21%CPEs: 1EXPL: 1CVE-2023-32679 – Remote Code Execution via unrestricted file extension in Craft CMS
https://notcve.org/view.php?id=CVE-2023-32679
19 May 2023 — Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly conf... • https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-31144 – Craft CMS vulnerable to cross site scripting in RSS feed widget
https://notcve.org/view.php?id=CVE-2023-31144
09 May 2023 — Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4. • https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •