Vulnerabilities > Craftercms

DATE CVE VULNERABILITY TITLE RISK
2021-12-02 CVE-2021-23262 Improper Control of Dynamically-Managed Code Resources vulnerability in Craftercms Crafter CMS
Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE.
network
low complexity
craftercms CWE-913
6.5
2021-12-02 CVE-2021-23263 Exposure of Resource to Wrong Sphere vulnerability in Craftercms Crafter CMS
Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).
network
low complexity
craftercms CWE-668
5.0
2021-12-02 CVE-2021-23264 Exposure of Resource to Wrong Sphere vulnerability in Craftercms Crafter CMS
Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.
network
low complexity
craftercms CWE-668
6.4
2020-11-27 CVE-2017-15686 Cross-site Scripting vulnerability in Craftercms Crafter CMS 3.0.0
Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies.
network
craftercms CWE-79
4.3
2020-11-27 CVE-2017-15685 XML Injection (aka Blind XPath Injection) vulnerability in Craftercms Crafter CMS 3.0.0
Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE).
network
low complexity
craftercms CWE-91
5.0
2020-11-27 CVE-2017-15684 Path Traversal vulnerability in Craftercms Crafter CMS 3.0.0
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.
network
low complexity
craftercms CWE-22
5.0
2020-11-27 CVE-2017-15683 XML Injection (aka Blind XPath Injection) vulnerability in Craftercms Crafter CMS 3.0.0
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
network
low complexity
craftercms CWE-91
5.0
2020-11-27 CVE-2017-15682 Cross-site Scripting vulnerability in Craftercms Crafter CMS 3.0.0
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
network
craftercms CWE-79
4.3
2020-11-27 CVE-2017-15681 Path Traversal vulnerability in Craftercms Crafter CMS 3.0.0
In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE.
network
low complexity
craftercms CWE-22
7.5
2020-11-27 CVE-2017-15680 Missing Authorization vulnerability in Craftercms Crafter CMS 3.0.0
In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data.
network
low complexity
craftercms CWE-862
6.4