Craftercms Crafter_cms

21 CVEs affecting Craftercms Crafter_cms. Latest disclosed: 2023-02-17. Critical: 1, High: 6.

Top CVEs affecting Craftercms Crafter_cms
CVESeverityScorePublishedSummary
CVE-2017-15681Critical9.82020-11-27In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating sys…
CVE-2018-19907High8.82018-12-06A Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Attackers with developer privileges may execute OS commands by Creating/Editing a…
CVE-2017-15685High8.62020-11-27Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site with specially crafted XML tha…
CVE-2017-15683High8.62020-11-27In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-o…
CVE-2021-23264High8.12021-12-02Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.
CVE-2021-23267High7.62022-05-16Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands vi…
CVE-2017-15684High7.52020-11-27Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.
CVE-2021-23260Medium6.52021-12-02Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site.
CVE-2017-15680Medium6.52020-11-27In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data.
CVE-2022-40635Medium6.42022-09-13Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands vi…
CVE-2022-40634Medium6.42022-09-13Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands vi…
CVE-2017-15686Medium6.12020-11-27Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies.
CVE-2017-15682Medium6.12020-11-27In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2021-23263Medium5.92021-12-02Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).
CVE-2023-26020Medium5.72023-02-17Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit…
CVE-2021-23261Medium4.52021-12-02Authenticated administrators may override the system configuration file and cause a denial of service.
CVE-2021-23266Medium4.32022-05-16An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator.
CVE-2021-23262Medium4.22021-12-02Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE.
CVE-2021-23259Medium4.22021-12-02Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script…
CVE-2021-23258Medium4.22021-12-02Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security re…