Vulnerabilities > Craftcms > Craft CMS > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-03-26 | CVE-2020-19626 | Cross-site Scripting vulnerability in Craftcms Craft CMS 3.1.31 Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new. | 5.4 |
| 2019-12-31 | CVE-2019-9554 | Cross-site Scripting vulnerability in Craftcms Craft CMS 3.1.12 In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI. | 6.1 |
| 2019-10-11 | CVE-2019-17496 | Cross-site Scripting vulnerability in Craftcms Craft CMS Craft CMS before 3.3.8 has stored XSS via a name field. | 6.1 |
| 2019-07-26 | CVE-2019-14280 | Information Exposure vulnerability in Craftcms Craft CMS In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public. | 5.3 |
| 2019-06-18 | CVE-2019-12823 | Cross-site Scripting vulnerability in Craftcms Craft CMS Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS. | 6.1 |
| 2018-12-24 | CVE-2018-20418 | Cross-site Scripting vulnerability in Craftcms Craft CMS 3.0.25 index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab. | 4.8 |
| 2017-06-08 | CVE-2017-9516 | Cross-site Scripting vulnerability in Craftcms Craft CMS Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file. | 5.4 |
| 2017-05-01 | CVE-2017-8385 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Craftcms Craft CMS Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message. | 5.3 |
| 2017-05-01 | CVE-2017-8384 | Cross-site Scripting vulnerability in Craftcms Craft CMS Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. | 6.1 |
| 2017-05-01 | CVE-2017-8383 | Unspecified vulnerability in Craftcms Craft CMS Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder. | 5.3 |