Craftcms: >> Craft Cms Security Vulnerabilities
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
CVSS Score
4.8
EPSS Score
0.005
Published
2018-12-24
Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension.
CVSS Score
8.8
EPSS Score
0.007
Published
2018-01-01
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
CVSS Score
5.4
EPSS Score
0.009
Published
2017-06-08
Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder.
CVSS Score
5.3
EPSS Score
0.003
Published
2017-05-01
Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-05-01
Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.
CVSS Score
5.3
EPSS Score
0.003
Published
2017-05-01
Craft CMS before 2.6.2974 allows XSS attacks.
CVSS Score
6.1
EPSS Score
0.004
Published
2017-04-22
Page 6