CVE-2024-21622 — Improper Privilege Management in Craft CMS

CWE-269 — Improper Privilege Management4 documents4 sources

Severity

8.8HIGHNVD

CNA5.4

EPSS

0.1%

top 71.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Craftcms Craft CMS Craftcms CMS

Timeline

PublishedJan 3

Description

Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Packagistcraftcms/cms4.0.0-RC1 — 4.5.11+1

▶NVDcraftcms/craft_cms3.0.0 — 3.9.6+1

▶CVEListV5craftcms/cms>= 3.0.0, < 3.9.6, >= 4.0.0-RC1, < 4.5.11+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Craft CMS Privilege Escalation↗2024-01-03

▶

GHSA

Craft CMS Privilege Escalation↗2024-01-03

▶

OSV

Craft CMS Privilege Escalation↗2024-01-03

▶