Vendor CVEs
Craftcms
All CVEs
124 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-45406 | 0.00 | — | 0.00 | Sep 9, 2024 | Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input. | |||
| CVE-2024-41800 | 0.00 | — | 0.00 | Jul 25, 2024 | Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's… | |||
| CVE-2024-21622 | 0.00 | — | 0.01 | Jan 3, 2024 | Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6.… | |||
| CVE-2023-40035 | 0.00 | — | 0.02 | Aug 23, 2023 | Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the… | |||
| CVE-2023-30179 | 0.00 | — | 0.02 | Jun 13, 2023 | CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this… | |||
| CVE-2023-33195 | 0.00 | — | 0.01 | May 27, 2023 | Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6. | |||
| CVE-2023-33194 | 0.00 | — | 0.01 | May 26, 2023 | Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue… | |||
| CVE-2023-33196 | 0.00 | — | 0.01 | May 26, 2023 | Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7. | |||
| CVE-2023-33197 | 0.00 | — | 0.01 | May 26, 2023 | Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. | |||
| CVE-2023-2817 | 0.00 | — | 0.00 | May 26, 2023 | A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries… | |||
| CVE-2023-32679 | 0.00 | — | 0.02 | May 19, 2023 | Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() ->… | |||
| CVE-2023-31144 | 0.00 | — | 0.00 | May 9, 2023 | Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4. | |||
| CVE-2023-30177 | 0.00 | — | 0.00 | Apr 25, 2023 | CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name. | |||
| CVE-2023-23927 | 0.00 | — | 0.01 | Mar 3, 2023 | Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7. | |||
| CVE-2022-37783 | 0.00 | — | 0.01 | Dec 5, 2022 | All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site… | |||
| CVE-2022-37246 | 0.00 | — | 0.00 | Sep 21, 2022 | Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label. | |||
| CVE-2022-37251 | 0.00 | — | 0.00 | Sep 16, 2022 | Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via Drafts. | |||
| CVE-2022-37247 | 0.00 | — | 0.00 | Sep 16, 2022 | Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields page. | |||
| CVE-2022-37248 | 0.00 | — | 0.01 | Sep 16, 2022 | Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via src/helpers/Cp.php. | |||
| CVE-2022-37250 | 0.00 | — | 0.01 | Sep 16, 2022 | Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount. | |||
| CVE-2022-29933 | 0.00 | — | 0.04 | May 9, 2022 | Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically,… | |||
| CVE-2022-28378 | 0.00 | — | 0.01 | Apr 3, 2022 | Craft CMS before 3.7.29 allows XSS. | |||
| CVE-2021-40502 | 0.00 | — | 0.01 | Nov 10, 2021 | SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to. | |||
| CVE-2005-2221 | 0.00 | — | 0.01 | Jul 12, 2005 | Multiple SQL injection vulnerabilities in Dragonfly Commerce allows remote attackers to modify SQL statements and possibly execute arbitrary SQL commands via the (1) key parameter to dc_Categoriesview.asp, (2) dc_productslist_Clearance.asp, (3) PID parameter to ratings.asp, (4)… |
- CVE-2024-45406Sep 9, 2024risk 0.00cvss —epss 0.00
Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.
- CVE-2024-41800Jul 25, 2024risk 0.00cvss —epss 0.00
Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's…
- CVE-2024-21622Jan 3, 2024risk 0.00cvss —epss 0.01
Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6.…
- CVE-2023-40035Aug 23, 2023risk 0.00cvss —epss 0.02
Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the…
- CVE-2023-30179Jun 13, 2023risk 0.00cvss —epss 0.02
CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this…
- CVE-2023-33195May 27, 2023risk 0.00cvss —epss 0.01
Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.
- CVE-2023-33194May 26, 2023risk 0.00cvss —epss 0.01
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue…
- CVE-2023-33196May 26, 2023risk 0.00cvss —epss 0.01
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
- CVE-2023-33197May 26, 2023risk 0.00cvss —epss 0.01
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.
- CVE-2023-2817May 26, 2023risk 0.00cvss —epss 0.00
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries…
- CVE-2023-32679May 19, 2023risk 0.00cvss —epss 0.02
Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() ->…
- CVE-2023-31144May 9, 2023risk 0.00cvss —epss 0.00
Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4.
- CVE-2023-30177Apr 25, 2023risk 0.00cvss —epss 0.00
CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.
- CVE-2023-23927Mar 3, 2023risk 0.00cvss —epss 0.01
Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.
- CVE-2022-37783Dec 5, 2022risk 0.00cvss —epss 0.01
All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site…
- CVE-2022-37246Sep 21, 2022risk 0.00cvss —epss 0.00
Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label.
- CVE-2022-37251Sep 16, 2022risk 0.00cvss —epss 0.00
Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via Drafts.
- CVE-2022-37247Sep 16, 2022risk 0.00cvss —epss 0.00
Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields page.
- CVE-2022-37248Sep 16, 2022risk 0.00cvss —epss 0.01
Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via src/helpers/Cp.php.
- CVE-2022-37250Sep 16, 2022risk 0.00cvss —epss 0.01
Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount.
- CVE-2022-29933May 9, 2022risk 0.00cvss —epss 0.04
Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically,…
- CVE-2022-28378Apr 3, 2022risk 0.00cvss —epss 0.01
Craft CMS before 3.7.29 allows XSS.
- CVE-2021-40502Nov 10, 2021risk 0.00cvss —epss 0.01
SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to.
- CVE-2005-2221Jul 12, 2005risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in Dragonfly Commerce allows remote attackers to modify SQL statements and possibly execute arbitrary SQL commands via the (1) key parameter to dc_Categoriesview.asp, (2) dc_productslist_Clearance.asp, (3) PID parameter to ratings.asp, (4)…
Page 3 of 3