Medium severity6.1NVD Advisory· Published Apr 22, 2017· Updated May 13, 2026
CVE-2017-8052
CVE-2017-8052
Description
Craft CMS before 2.6.2974 allows XSS attacks.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | < 2.6.2974 | 2.6.2974 |
Affected products
1Patches
1f7e57018ff48Fixed an XSS vulnerability
2 files changed · +16 −0
CHANGELOG.md+3 −0 modified@@ -11,6 +11,9 @@ Craft CMS Changelog ### Fixed - Fixed timezone bug when requesting data for a run chart in `\Craft\ChartHelper::getRunChartDataFromQuery()` +### Security +- Fixed an XSS vulnerability. + ## 2.6.2973 - 2017-04-17 ### Added
src/controllers/TemplatesController.php+13 −0 modified@@ -38,6 +38,19 @@ class TemplatesController extends BaseController // Public Methods // ========================================================================= + /** + * Prevent this controller from being accessed directly + */ + public function beforeAction($action) + { + $actionSegments = craft()->request->getActionSegments(); + if (isset($actionSegments[0]) && $actionSegments[0] === 'templates') { + throw new HttpException(403); + } + + return parent::beforeAction($action); // TODO: Change the autogenerated stub + } + /** * Renders a template. *
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- craftcms.com/changelognvdRelease NotesVendor Advisory
- github.com/advisories/GHSA-xv5f-2997-qhrqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-8052ghsaADVISORY
- twitter.com/CraftCMS/status/855535309878112256nvdThird Party AdvisoryWEB
- github.com/craftcms/cms/blob/2.6.2974/CHANGELOG.mdghsaWEB
- github.com/craftcms/cms/commit/f7e57018ff487d1ebbe375f6cb1852f4d79767ffghsaWEB
News mentions
0No linked articles in our index yet.