Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Crafter_cms
(Craftercms)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 21 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-12-02 | CVE-2021-23259 | Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE). | Crafter_cms | 7.2 | ||
| 2021-12-02 | CVE-2021-23260 | Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site. | Crafter_cms | 5.4 | ||
| 2021-12-02 | CVE-2021-23261 | Authenticated administrators may override the system configuration file and cause a denial of service. | Crafter_cms | 4.9 | ||
| 2021-12-02 | CVE-2021-23262 | Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE. | Crafter_cms | 7.2 | ||
| 2021-12-02 | CVE-2021-23263 | Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary). | Crafter_cms | 7.5 | ||
| 2021-12-02 | CVE-2021-23264 | Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes. | Crafter_cms | 9.1 | ||
| 2022-05-16 | CVE-2021-23265 | A logged-in and authenticated user with a Reviewer Role may lock a content item. | Crafter_cms | 4.3 | ||
| 2022-05-16 | CVE-2021-23266 | An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator. | Crafter_cms | 4.3 | ||
| 2022-05-16 | CVE-2021-23267 | Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods. | Crafter_cms | 8.8 | ||
| 2022-09-13 | CVE-2022-40634 | Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI. | Crafter_cms | 7.2 |