# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2022-29933 |
640 |
|
|
2022-05-09 |
2022-05-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration). |
2 |
CVE-2022-28378 |
79 |
|
XSS |
2022-04-03 |
2022-04-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Craft CMS before 3.7.29 allows XSS. |
3 |
CVE-2021-41824 |
1236 |
|
|
2021-09-30 |
2021-11-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Craft CMS before 3.7.14 allows CSV injection. |
4 |
CVE-2021-32470 |
79 |
|
XSS |
2021-05-07 |
2021-05-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Craft CMS before 3.6.13 has an XSS vulnerability. |
5 |
CVE-2021-27903 |
862 |
|
Exec Code |
2021-06-30 |
2022-07-12 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session). |
6 |
CVE-2021-27902 |
79 |
|
XSS |
2021-06-30 |
2021-07-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads. |
7 |
CVE-2020-19626 |
79 |
|
XSS |
2021-03-26 |
2021-03-26 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new. |
8 |
CVE-2020-9757 |
74 |
|
|
2020-03-04 |
2022-04-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller. |
9 |
CVE-2019-17496 |
79 |
|
XSS |
2019-10-11 |
2019-10-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion. |
10 |
CVE-2019-15929 |
640 |
|
|
2019-10-24 |
2019-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them. |
11 |
CVE-2019-14280 |
200 |
|
+Info |
2019-07-26 |
2019-09-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public. |
12 |
CVE-2019-12823 |
79 |
|
XSS |
2019-06-18 |
2021-10-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS. |
13 |
CVE-2019-9554 |
79 |
|
XSS |
2019-12-31 |
2020-01-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI. |
14 |
CVE-2018-20465 |
311 |
|
|
2018-12-25 |
2019-10-03 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field. |
15 |
CVE-2018-20418 |
79 |
|
XSS |
2018-12-24 |
2019-03-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab. |
16 |
CVE-2018-3814 |
434 |
|
Exec Code |
2018-01-01 |
2020-08-24 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension. |
17 |
CVE-2017-9516 |
79 |
|
XSS |
2017-06-08 |
2017-08-13 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file. |
18 |
CVE-2017-8385 |
640 |
|
|
2017-05-01 |
2017-05-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message. |
19 |
CVE-2017-8384 |
79 |
|
XSS |
2017-05-01 |
2017-05-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052. |
20 |
CVE-2017-8383 |
|
|
|
2017-05-01 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder. |
21 |
CVE-2017-8052 |
79 |
|
XSS |
2017-04-22 |
2017-04-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Craft CMS before 2.6.2974 allows XSS attacks. |