Maven package
org.craftercms/crafter-studio
pkg:maven/org.craftercms/crafter-studio
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-6384 | — | >= 4.0.0, < 4.3.0 | 4.3.0 | Jun 19, 2025 | Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain R | ||
| CVE-2022-40634 | — | >= 3.1.0, < 3.1.23 | 3.1.23 | Sep 13, 2022 | Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI. | ||
| CVE-2021-23267 | — | >= 3.1.0, < 3.1.18 | 3.1.18 | May 16, 2022 | Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods. | ||
| CVE-2017-15681 | — | < 3.0.2 | 3.0.2 | Nov 27, 2020 | In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE. | ||
| CVE-2017-15684 | — | < 3.0.2 | 3.0.2 | Nov 27, 2020 | Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system. | ||
| CVE-2017-15685 | — | < 3.0.2 | 3.0.2 | Nov 27, 2020 | Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band. | ||
| CVE-2017-15686 | — | < 3.0.2 | 3.0.2 | Nov 27, 2020 | Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies. | ||
| CVE-2020-25803 | — | >= 3.0, < 3.0.27 | 3.0.27 | Oct 6, 2020 | Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker template exposed objects. This issue affects: Crafter Software Crafter CMS 3.0 versions prior to 3.0.27; 3.1 | ||
| CVE-2020-25802 | — | >= 3.0, < 3.0.27 | 3.0.27 | Oct 6, 2020 | Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy scripting. This issue affects: Crafter Software Crafter CMS 3.0 versions prior to 3.0.27; 3.1 versions prior to | ||
| CVE-2018-19907 | — | <= 3.0.18 | — | Dec 6, 2018 | A Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Attackers with developer privileges may execute OS commands by Creating/Editing a template file (.ftl filetype) that triggers a call to freemarker.template.utility.Execute in the FreeMarker library durin |
- CVE-2025-6384Jun 19, 2025affected >= 4.0.0, < 4.3.0fixed 4.3.0
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain R
- CVE-2022-40634Sep 13, 2022affected >= 3.1.0, < 3.1.23fixed 3.1.23
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.
- CVE-2021-23267May 16, 2022affected >= 3.1.0, < 3.1.18fixed 3.1.18
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.
- CVE-2017-15681Nov 27, 2020affected < 3.0.2fixed 3.0.2
In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE.
- CVE-2017-15684Nov 27, 2020affected < 3.0.2fixed 3.0.2
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.
- CVE-2017-15685Nov 27, 2020affected < 3.0.2fixed 3.0.2
Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
- CVE-2017-15686Nov 27, 2020affected < 3.0.2fixed 3.0.2
Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies.
- CVE-2020-25803Oct 6, 2020affected >= 3.0, < 3.0.27fixed 3.0.27
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker template exposed objects. This issue affects: Crafter Software Crafter CMS 3.0 versions prior to 3.0.27; 3.1
- CVE-2020-25802Oct 6, 2020affected >= 3.0, < 3.0.27fixed 3.0.27
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy scripting. This issue affects: Crafter Software Crafter CMS 3.0 versions prior to 3.0.27; 3.1 versions prior to
- CVE-2018-19907Dec 6, 2018affected <= 3.0.18
A Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Attackers with developer privileges may execute OS commands by Creating/Editing a template file (.ftl filetype) that triggers a call to freemarker.template.utility.Execute in the FreeMarker library durin