VYPR

Vendor CVEs

Craftcms

All CVEs

124 total · sorted by risk
  • CVE-2024-45406Sep 9, 2024
    risk 0.00cvss epss 0.00

    Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.

  • CVE-2024-41800Jul 25, 2024
    risk 0.00cvss epss 0.00

    Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's…

  • CVE-2024-21622Jan 3, 2024
    risk 0.00cvss epss 0.01

    Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6.…

  • CVE-2023-40035Aug 23, 2023
    risk 0.00cvss epss 0.02

    Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the…

  • CVE-2023-30179Jun 13, 2023
    risk 0.00cvss epss 0.02

    CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this…

  • CVE-2023-33195May 27, 2023
    risk 0.00cvss epss 0.01

    Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.

  • CVE-2023-33194May 26, 2023
    risk 0.00cvss epss 0.01

    Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue…

  • CVE-2023-33196May 26, 2023
    risk 0.00cvss epss 0.01

    Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.

  • CVE-2023-33197May 26, 2023
    risk 0.00cvss epss 0.01

    Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.

  • CVE-2023-2817May 26, 2023
    risk 0.00cvss epss 0.00

    A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries…

  • CVE-2023-32679May 19, 2023
    risk 0.00cvss epss 0.02

    Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() ->…

  • CVE-2023-31144May 9, 2023
    risk 0.00cvss epss 0.00

    Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4.

  • CVE-2023-30177Apr 25, 2023
    risk 0.00cvss epss 0.00

    CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.

  • CVE-2023-23927Mar 3, 2023
    risk 0.00cvss epss 0.01

    Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.

  • CVE-2022-37783Dec 5, 2022
    risk 0.00cvss epss 0.01

    All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site…

  • CVE-2022-37246Sep 21, 2022
    risk 0.00cvss epss 0.00

    Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label.

  • CVE-2022-37251Sep 16, 2022
    risk 0.00cvss epss 0.00

    Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via Drafts.

  • CVE-2022-37247Sep 16, 2022
    risk 0.00cvss epss 0.00

    Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields page.

  • CVE-2022-37248Sep 16, 2022
    risk 0.00cvss epss 0.01

    Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via src/helpers/Cp.php.

  • CVE-2022-37250Sep 16, 2022
    risk 0.00cvss epss 0.01

    Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount.

  • CVE-2022-29933May 9, 2022
    risk 0.00cvss epss 0.04

    Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically,…

  • CVE-2022-28378Apr 3, 2022
    risk 0.00cvss epss 0.01

    Craft CMS before 3.7.29 allows XSS.

  • CVE-2021-40502Nov 10, 2021
    risk 0.00cvss epss 0.01

    SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to.

  • CVE-2005-2221Jul 12, 2005
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in Dragonfly Commerce allows remote attackers to modify SQL statements and possibly execute arbitrary SQL commands via the (1) key parameter to dc_Categoriesview.asp, (2) dc_productslist_Clearance.asp, (3) PID parameter to ratings.asp, (4)…

Page 3 of 3