CVSS: 9.8EPSS: 92%CPEs: 3EXPL: 4CVE-2024-56145 – RCE when PHP `register_argc_argv` config setting is enabled in craftcms/cms
https://notcve.org/view.php?id=CVE-2024-56145
18 Dec 2024 — Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 4.13.2 or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue. • https://packetstorm.news/files/id/188825 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52600 – Statamic CMS has Path Traversal in Asset Upload
https://notcve.org/view.php?id=CVE-2024-52600
19 Nov 2024 — Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets` fields and other places where assets can be uploaded, although users would need upload permissions anyway. Files can be uploaded so they would be located on the server in a different location, and potentially override existing files... • https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.1EPSS: 0%CPEs: 3EXPL: 1CVE-2024-7551 – juzaweb CMS Theme Editor default path traversal
https://notcve.org/view.php?id=CVE-2024-7551
06 Aug 2024 — A vulnerability was found in juzaweb CMS up to 3.4.2. It has been classified as problematic. Affected is an unknown function of the file /admin-cp/theme/editor/default of the component Theme Editor. The manipulation leads to path traversal. It is possible to launch the attack remotely. • https://github.com/DeepMountains/Mirage/blob/main/CVE9-1.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11198
https://notcve.org/view.php?id=CVE-2019-11198
05 Aug 2019 — Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog. Múltiples vulnerabilidad... • https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/92/Sitecore%20Experience%20Platform%2092%20Initial%20Release/Release%20Notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 15%CPEs: 1EXPL: 1CVE-2019-9875 – Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2019-9875
31 May 2019 — Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter. La deserialización de datos no confiables en el módulo anti CSRF en Sitecore hasta la versón 9.1, permite a un atacante identificado ejecutar código arbitrario mediante el envío un objeto .NET serializado dentro de un parámetro POST de HTTP. Sitecore CMS and Experience Platform (XP) contain a deserializatio... • https://dev.sitecore.net/Downloads.aspx • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2014-100004
https://notcve.org/view.php?id=CVE-2014-100004
13 Jan 2015 — Cross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev. 140120) allows remote attackers to inject arbitrary web script or HTML via the xmlcontrol parameter to the default URI. NOTE: some of these details are obtained from third party information. Vulnerabilidad de XSS en Sitecore CMS anterior a 7.0 actualización-4 (rev. 140120) permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro xmlcontrol en la URI por defecto. NOTA: algunos d... • http://osvdb.org/102660 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 4EXPL: 2CVE-2009-2163 – Sitecore CMS 6.0.0 rev. 090120 - 'default.aspx' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-2163
22 Jun 2009 — Cross-site scripting (XSS) vulnerability in login/default.aspx in Sitecore CMS before 6.0.2 Update-1 090507 allows remote attackers to inject arbitrary web script or HTML via the sc_error parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Sitecore CMS versiones anteriores a v6.0.2 Update-1 090507 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante el parámetro "sc_error". • https://www.exploit-db.com/exploits/34930 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •