GHSA-7pq5-qcp6-mcww: CKAN has an XSS vector in user uploaded images in group/org and user profiles

GHSA-w3pj-wh35-fq8w: GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions

GHSA-wc9m-r3v6-9p5h: Sparkle Signing Checks Bypass

GHSA-w7wm-2425-7p2h: MarbleRun unauthenticated recovery allows Coordinator impersonation

GHSA-mx2j-7cmv-353c: wasmvm: Malicious smart contract can slow down block production

### Impact

This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft with certain user permissions setups.

### Patches

This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.

### References

https://github.com/craftcms/cms/pull/13932
https://github.com/craftcms/cms/pull/13931
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16
https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16

**Craft CMS Privilege Escalation**

Moderate severity GitHub Reviewed Published Jan 3, 2024 in craftcms/cms • Updated Jan 3, 2024

Headline

GHSA-j5g9-j7r4-6qvx: Craft CMS Privilege Escalation

Impact

Patches

References

ghsa: Latest News