CPE Details
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
CPE Name: cpe:2.3:a:craftcms:craft_cms:2.6.2974:*:*:*:*:*:*:*
Informations
Vendor
craftcmsProduct
craft_cmsVersion
2.6.2974Related CVE
| CVE ID | Publié | Description | Score | Gravité |
|---|---|---|---|---|
| Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint. | 9.8 |
Critique |
||
| Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation. | 5.4 |
Moyen |
||
| An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about code provided by the Craft CMS product; it is only a report about the Feed Me plugin. NOTE: a third-party report states that commit b5d6ede51848349bd91bc95fec288b6793f15e28 has "nothing to do with security." | 7.5 |
Haute |
||
| Craft CMS through 4.4.9 is vulnerable to HTML Injection. | 6.1 |
Moyen |
||
| Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. | 5.5 |
Moyen |
||
| A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. | 5.4 |
Moyen |
||
| Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7. | 6.1 |
Moyen |
||
| Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration). | 8.8 |
Haute |
||
| Craft CMS before 3.7.29 allows XSS. | 6.1 |
Moyen |
||
| An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session). | 9.8 |
Critique |
||
| An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads. | 6.1 |
Moyen |
||
| Craft CMS before 3.6.13 has an XSS vulnerability. | 6.1 |
Moyen |
||
| The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller. | 9.8 |
Critique |
||
| In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them. | 9.8 |
Critique |
||
| Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion. | 6.1 |
Moyen |
||
| In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public. | 5.3 |
Moyen |
||
| Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS. | 6.1 |
Moyen |
||
| Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field. | 7.2 |
Haute |
||
| Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file. | 5.4 |
Moyen |
||
| Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder. | 5.3 |
Moyen |
||
| Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052. | 6.1 |
Moyen |
||
| Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message. | 5.3 |
Moyen |
2025©
tesweb SA
