CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35191 – verbb/formie Server-Side Template Injection for variable-enabled settings
https://notcve.org/view.php?id=CVE-2024-35191
Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6. • https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420 https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13868
https://notcve.org/view.php?id=CVE-2020-13868
An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. CSRF affects comment integrity. Se detectó un problema en el plugin Comments versiones anteriores a 1.5.5 para Craft CMS. Una vulnerabilidad de tipo CSRF afecta la integridad de los comentarios • https://github.com/verbb/comments/blob/craft-3/CHANGELOG.md#155---2020-05-28-critical • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13869
https://notcve.org/view.php?id=CVE-2020-13869
An issue was discovered in the Comments plugin before 1.5.6 for Craft CMS. There is stored XSS via a guest name. Se detectó un problema en el plugin Comments versiones anteriores a 1.5.6 para Craft CMS. Se presenta una vulnerabilidad de tipo XSS almacenado por medio de un nombre de invitado • https://github.com/verbb/comments/blob/craft-3/CHANGELOG.md#155---2020-05-28-critical • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13870
https://notcve.org/view.php?id=CVE-2020-13870
An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. There is stored XSS via an asset volume name. Se detectó un problema en el plugin Comments versiones anteriores a 1.5.5 para Craft CMS. Se presenta una vulnerabilidad de tipo XSS almacenado por medio de un nombre de volumen de activo • https://github.com/verbb/comments/blob/craft-3/CHANGELOG.md#155---2020-05-28-critical • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13485
https://notcve.org/view.php?id=CVE-2020-13485
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header. El plugin Knock Knock versiones anteriores a 1.2.8 para Craft CMS, permite una omisión de IP Whitelist a través de un encabezado HTTP X-Forward-For. • https://github.com/verbb/knock-knock/blob/craft-3/CHANGELOG.md https://limpidsecurity.pl/security-advisories/1/knock-knock-plugin-for-craft-cms • CWE-697: Incorrect Comparison •