Headline
CVE-2021-23261: Security Advisories — Crafter CMS 3.1.17 documentation
Authenticated administrators may override the system configuration file and cause a denial of service.
CV-2021120103¶
Date
2021.12.01
Affected Versions
3.1 < 3.1.12
Vulnerability Type
CWE-79: Improper Neutralization of Input During Web Page Generation(‘Cross-site Scripting’)
Risk
Medium
Description
Stored XSS Vulnerability in File Name of the File Upload function
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23260
CV-2021120106¶
Date
2021.12.01
Affected Versions
3.1 < 3.1.15
Vulnerability Type
CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’)
Risk
Medium
Description
Transmission of Private Resources into a New Sphere (‘Resource Leak’) in CrafterEngine
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23263
CV-2021120107¶
Date
2021.12.01
Affected Versions
3.1 < 3.1.15
Vulnerability Type
CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’) CWE-668 Exposure of Resource to Wrong Sphere
Risk
High
Description
Transmission of Private Resources into a New Sphere (‘Resource Leak’) and Exposureof Resource to Wrong Sphere in Crafter Search
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23264
CV-2020080102¶
Date
2020.08.01
Affected Versions
3.0 < 3.0.27
3.1 < 3.1.7
Vulnerability Type
RCE
Risk
Medium
Description
Authenticated attackers with developer privileges in Crafter Studio may execute OS commands via deep inspection of FreeMarker template exposed objects.
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25803
CV-2018120601¶
Date
2018.12.06
Affected Versions
3.0 < 3.0.19
Vulnerability Type
RCE
Risk
Medium
Description
Authenticated attackers with developer privileges in Crafter Studio may execute OS commands via FreeMarker templates.
CVE
https://nvd.nist.gov/vuln/detail/CVE-2018-19907
CV-2017061502¶
Date
2017.06.15
Affected Versions
3.0 < 3.0.1
Vulnerability Type
Directory Traversal
Risk
Critical
Description
A directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE.
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15681
CV-2017061505¶
Date
2017.06.15
Affected Versions
3.0 < 3.0.1
Vulnerability Type
Directory Traversal
Risk
High
Description
A directory traversal vulnerability exists which allows unauthenticated attackers to view files from the operating system.
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15684
CV-2017061507¶
Date
2017.06.15
Affected Versions
3.0 < 3.0.1
Vulnerability Type
Reflected XSS
Risk
Medium
Description
A reflected XSS vulnerability exists which allows remote attackers to steal users’ cookies resulting in them hijacking their session.
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15686