Craftcms Craft Cms vulnerabilities

CVE-2023-33195 [MEDIUM] CWE-79 CVE-2023-33195: Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.

CVE-2023-33197 [MEDIUM] CWE-80 CVE-2023-33197: Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.

CVE-2023-2817 [MEDIUM] CWE-79 CVE-2023-2817: A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4. A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively.

CVE-2023-33196 [MEDIUM] CWE-80 CVE-2023-33196: Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.

CVE-2023-33194 [MEDIUM] CWE-80 CVE-2023-33194: Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.

CVE-2023-32679 [HIGH] CWE-74 CVE-2023-32679: Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestri Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly withou

CVE-2023-30130 [HIGH] CWE-94 CVE-2023-30130: An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.

CVE-2023-31144 [MEDIUM] CWE-79 CVE-2023-31144: Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4.

CVE-2023-30177 [MEDIUM] CWE-79 CVE-2023-30177: CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code int CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.

CVE-2023-23927 [MEDIUM] CWE-79 CVE-2023-23927: Craft is a platform for creating digital experiences. When you insert a payload inside a label name Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.

CVE-2022-37783 [HIGH] CWE-522 CVE-2022-37783: All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate u All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password ha

CVE-2022-37246 [MEDIUM] CWE-79 CVE-2022-37246: Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/Bas Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label.

CVE-2022-37247 [MEDIUM] CWE-79 CVE-2022-37247: Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields pa Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields page.

CVE-2022-37248 [MEDIUM] CWE-79 CVE-2022-37248: Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via src/helpers/Cp.php. Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via src/helpers/Cp.php.

CVE-2022-37251 [MEDIUM] CWE-79 CVE-2022-37251: Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via Drafts. Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via Drafts.

CVE-2022-37250 [MEDIUM] CWE-79 CVE-2022-37250: Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount. Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount.

CVE-2022-29933 [HIGH] CWE-640 CVE-2022-29933: Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid user Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/u

CVE-2021-27903 [CRITICAL] CWE-862 CVE-2021-27903: An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Ex An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session).

CVE-2021-27902 [MEDIUM] CWE-79 CVE-2021-27902: An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerabil An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.

CVE-2020-19626 [MEDIUM] CWE-79 CVE-2020-19626: Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbit Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.