Shodan
Vulnerabilities
Vulnerable Software
Craftcms:  Security Vulnerabilities
CVE-2019-15929
In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-10-24
CVE-2019-17496
Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-11
CVE-2019-14280
In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.
CVSS Score
5.3
EPSS Score
0.159
Published
2019-07-26
CVE-2019-12823
Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-06-18
CVE-2018-20465
Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field.
CVSS Score
7.2
EPSS Score
0.007
Published
2018-12-25
CVE-2018-20418
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
CVSS Score
4.8
EPSS Score
0.005
Published
2018-12-24
CVE-2018-3814
Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension.
CVSS Score
8.8
EPSS Score
0.007
Published
2018-01-01
CVE-2017-9516
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
CVSS Score
5.4
EPSS Score
0.009
Published
2017-06-08
CVE-2017-8383
Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder.
CVSS Score
5.3
EPSS Score
0.003
Published
2017-05-01
CVE-2017-8384
Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-05-01


Products
Pricing
Contact Us

Shodan ® - All rights reserved