Craftercms Crafter_cms
21 CVEs affecting Craftercms Crafter_cms. Latest disclosed: 2023-02-17. Critical: 1, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2017-15681 | Critical | 9.8 | 2020-11-27 | In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating sys… |
CVE-2018-19907 | High | 8.8 | 2018-12-06 | A Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Attackers with developer privileges may execute OS commands by Creating/Editing a… |
CVE-2017-15685 | High | 8.6 | 2020-11-27 | Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site with specially crafted XML tha… |
CVE-2017-15683 | High | 8.6 | 2020-11-27 | In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-o… |
CVE-2021-23264 | High | 8.1 | 2021-12-02 | Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes. |
CVE-2021-23267 | High | 7.6 | 2022-05-16 | Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands vi… |
CVE-2017-15684 | High | 7.5 | 2020-11-27 | Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system. |
CVE-2021-23260 | Medium | 6.5 | 2021-12-02 | Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site. |
CVE-2017-15680 | Medium | 6.5 | 2020-11-27 | In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data. |
CVE-2022-40635 | Medium | 6.4 | 2022-09-13 | Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands vi… |
CVE-2022-40634 | Medium | 6.4 | 2022-09-13 | Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands vi… |
CVE-2017-15686 | Medium | 6.1 | 2020-11-27 | Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies. |
CVE-2017-15682 | Medium | 6.1 | 2020-11-27 | In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel. |
CVE-2021-23263 | Medium | 5.9 | 2021-12-02 | Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary). |
CVE-2023-26020 | Medium | 5.7 | 2023-02-17 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit… |
CVE-2021-23261 | Medium | 4.5 | 2021-12-02 | Authenticated administrators may override the system configuration file and cause a denial of service. |
CVE-2021-23266 | Medium | 4.3 | 2022-05-16 | An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator. |
CVE-2021-23262 | Medium | 4.2 | 2021-12-02 | Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE. |
CVE-2021-23259 | Medium | 4.2 | 2021-12-02 | Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script… |
CVE-2021-23258 | Medium | 4.2 | 2021-12-02 | Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security re… |