Vulnerabilities > Craftcms > Craft CMS > 3.0.25
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-12-25 | CVE-2018-20465 | Missing Encryption of Sensitive Data vulnerability in Craftcms Craft CMS Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field. | 4.0 |
| 2018-12-24 | CVE-2018-20418 | Cross-site Scripting vulnerability in Craftcms Craft CMS 3.0.25 index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab. | 3.5 |