Vulnerabilities > Craftcms > Craft CMS > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-09 | CVE-2022-29933 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Craftcms Craft CMS Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. | 8.8 |
| 2021-09-30 | CVE-2021-41824 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Craftcms Craft CMS Craft CMS before 3.7.14 allows CSV injection. | 8.8 |
| 2018-12-25 | CVE-2018-20465 | Missing Encryption of Sensitive Data vulnerability in Craftcms Craft CMS Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field. | 7.2 |
| 2018-01-01 | CVE-2018-3814 | Unrestricted Upload of File with Dangerous Type vulnerability in Craftcms Craft CMS 2.6.3000 Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension. | 8.8 |