Total
45 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-14280 | 1 Craftcms | 1 Craft Cms | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public. | |||||
| CVE-2018-20465 | 1 Craftcms | 1 Craft Cms | 2024-02-04 | 4.0 MEDIUM | 7.2 HIGH |
| Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field. | |||||
| CVE-2018-20418 | 1 Craftcms | 1 Craft Cms | 2024-02-04 | 3.5 LOW | 4.8 MEDIUM |
| index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab. | |||||
| CVE-2017-9516 | 1 Craftcms | 1 Craft Cms | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file. | |||||
| CVE-2018-3814 | 1 Craftcms | 1 Craft Cms | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension. | |||||