CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52600 – Statamic CMS has Path Traversal in Asset Upload
https://notcve.org/view.php?id=CVE-2024-52600
19 Nov 2024 — Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets` fields and other places where assets can be uploaded, although users would need upload permissions anyway. Files can be uploaded so they would be located on the server in a different location, and potentially override existing files... • https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 1.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36119 – Password confirmation stored in plain text via registration form in statamic/cms
https://notcve.org/view.php?id=CVE-2024-36119
30 May 2024 — Statamic is a, Laravel + Git powered CMS designed for building websites. In affected versions users registering via the `user:register_form` tag will have their password confirmation stored in plain text in their user file. This only affects sites matching **all** of the following conditions: 1. Running Statamic versions between 5.3.0 and 5.6.1. (This version range represents only one calendar week), 2. • https://dev.to/balogh08/cleaning-your-git-history-safely-removing-sensitive-data-10i5 • CWE-312: Cleartext Storage of Sensitive Information •