Vulnerabilities > Craftercms > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-08-03 | CVE-2023-4136 | Cross-site Scripting vulnerability in Craftercms Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.This issue affects CrafterCMS: from 4.0.0 through 4.0.2, from 3.1.0 through 3.1.27. | 6.1 |
| 2023-05-26 | CVE-2023-33194 | Cross-site Scripting vulnerability in multiple products Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. | 4.8 |
| 2022-05-16 | CVE-2021-23265 | Unspecified vulnerability in Craftercms Crafter CMS A logged-in and authenticated user with a Reviewer Role may lock a content item. | 4.0 |
| 2022-05-16 | CVE-2021-23266 | Improper Encoding or Escaping of Output vulnerability in Craftercms Crafter CMS An anonymous user can craft a URL with text that ends up in the log viewer as is. | 4.3 |
| 2021-12-02 | CVE-2021-23258 | Improper Control of Dynamically-Managed Code Resources vulnerability in Craftercms Crafter CMS Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. | 6.5 |
| 2021-12-02 | CVE-2021-23259 | Improper Control of Dynamically-Managed Code Resources vulnerability in Craftercms Crafter CMS Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. | 6.5 |
| 2021-12-02 | CVE-2021-23261 | Unspecified vulnerability in Craftercms Crafter CMS Authenticated administrators may override the system configuration file and cause a denial of service. | 4.0 |
| 2021-12-02 | CVE-2021-23262 | Improper Control of Dynamically-Managed Code Resources vulnerability in Craftercms Crafter CMS Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE. | 6.5 |
| 2021-12-02 | CVE-2021-23263 | Exposure of Resource to Wrong Sphere vulnerability in Craftercms Crafter CMS Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary). | 5.0 |
| 2021-12-02 | CVE-2021-23264 | Exposure of Resource to Wrong Sphere vulnerability in Craftercms Crafter CMS Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes. | 6.4 |