Vulnerabilities > Craftcms > Craft CMS > 3.0.25

DATE CVE VULNERABILITY TITLE RISK
2019-06-18 CVE-2019-12823 Cross-site Scripting vulnerability in Craftcms Craft CMS
Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS.
network
low complexity
craftcms CWE-79
6.1
6.1
2018-12-25 CVE-2018-20465 Missing Encryption of Sensitive Data vulnerability in Craftcms Craft CMS
Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field.
network
low complexity
craftcms CWE-311
7.2
7.2
2018-12-24 CVE-2018-20418 Cross-site Scripting vulnerability in Craftcms Craft CMS 3.0.25
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
network
low complexity
craftcms CWE-79
4.8
4.8