Search criteria
63 vulnerabilities found for crafter_cms by craftercms
FKIE_CVE-2023-26020
Vulnerability from fkie_nvd - Published: 2023-02-17 18:15 - Updated: 2024-11-21 07:50
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.This issue affects CrafterCMS v4.0 from 4.0.0 through 4.0.1, and v3.1 from 3.1.0 through 3.1.26.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftercms | crafter_cms | * | |
| craftercms | crafter_cms | * | |
| apple | macos | - | |
| linux | linux_kernel | - | |
| microsoft | windows | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "056B1C77-8EC9-4E5E-8065-05337645C909",
"versionEndIncluding": "3.1.26",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6BED1219-8FA4-483C-9DBB-95A929384840",
"versionEndIncluding": "4.0.1",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
"matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
"matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.This issue affects CrafterCMS v4.0 from 4.0.0 through 4.0.1, and v3.1 from 3.1.0 through 3.1.26.\n\n"
}
],
"id": "CVE-2023-26020",
"lastModified": "2024-11-21T07:50:36.543",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.2,
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-17T18:15:12.180",
"references": [
{
"source": "security@craftersoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/4.0/security/advisory.html#cv-2023021701"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/4.0/security/advisory.html#cv-2023021701"
}
],
"sourceIdentifier": "security@craftersoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-40635
Vulnerability from fkie_nvd - Published: 2022-09-13 19:15 - Updated: 2024-11-21 07:21
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftercms | crafter_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6D4673-2898-4073-9239-71735D0FA5F2",
"versionEndExcluding": "3.1.23",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Control Inapropiado de los Recursos de C\u00f3digo Administrados Din\u00e1micamente en Crafter Studio de Crafter CMS permite a desarrolladores autenticados ejecutar comandos del Sistema Operativo por medio de Groovy Sandbox Bypass"
}
],
"id": "CVE-2022-40635",
"lastModified": "2024-11-21T07:21:45.373",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.9,
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-13T19:15:13.440",
"references": [
{
"source": "security@craftersoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
],
"sourceIdentifier": "security@craftersoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-913"
}
],
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-913"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-40634
Vulnerability from fkie_nvd - Published: 2022-09-13 19:15 - Updated: 2024-11-21 07:21
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftercms | crafter_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6D4673-2898-4073-9239-71735D0FA5F2",
"versionEndExcluding": "3.1.23",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Control Inapropiado de los Recursos de C\u00f3digo Administrados Din\u00e1micamente en Crafter Studio de Crafter CMS permite a desarrolladores autenticados ejecutar comandos del Sistema Operativo por medio de FreeMarker SSTI"
}
],
"id": "CVE-2022-40634",
"lastModified": "2024-11-21T07:21:45.237",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.9,
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-13T19:15:13.350",
"references": [
{
"source": "security@craftersoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
}
],
"sourceIdentifier": "security@craftersoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-913"
}
],
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-913"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-23267
Vulnerability from fkie_nvd - Published: 2022-05-16 17:15 - Updated: 2024-11-21 05:51
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftercms | crafter_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6974FEAC-905A-4572-A767-AF0216F5DAD8",
"versionEndExcluding": "3.1.18",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Control Inapropiado de los Recursos de C\u00f3digo Administrados Din\u00e1micamente en Crafter Studio de Crafter CMS permite a desarrolladores autenticados ejecutar comandos del sistema operativo por medio de m\u00e9todos est\u00e1ticos de FreeMarker"
}
],
"id": "CVE-2021-23267",
"lastModified": "2024-11-21T05:51:28.207",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 6.0,
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-16T17:15:09.393",
"references": [
{
"source": "security@craftersoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051603"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051603"
}
],
"sourceIdentifier": "security@craftersoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-913"
}
],
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-913"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-23265
Vulnerability from fkie_nvd - Published: 2022-05-16 17:15 - Updated: 2024-11-21 05:51
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
A logged-in and authenticated user with a Reviewer Role may lock a content item.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftercms | crafter_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6974FEAC-905A-4572-A767-AF0216F5DAD8",
"versionEndExcluding": "3.1.18",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A logged-in and authenticated user with a Reviewer Role may lock a content item."
},
{
"lang": "es",
"value": "Un usuario conectado y autenticado con un rol de revisor puede bloquear un elemento de contenido"
}
],
"id": "CVE-2021-23265",
"lastModified": "2024-11-21T05:51:27.983",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-16T17:15:09.057",
"references": [
{
"source": "security@craftersoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
}
],
"sourceIdentifier": "security@craftersoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-23266
Vulnerability from fkie_nvd - Published: 2022-05-16 17:15 - Updated: 2024-11-21 05:51
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftercms | crafter_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6974FEAC-905A-4572-A767-AF0216F5DAD8",
"versionEndExcluding": "3.1.18",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator."
},
{
"lang": "es",
"value": "Un usuario an\u00f3nimo puede dise\u00f1ar una URL con texto que acabe en el visor de registros tal cual. El texto puede entonces incluir mensajes de texto para enga\u00f1ar al administrador"
}
],
"id": "CVE-2021-23266",
"lastModified": "2024-11-21T05:51:28.097",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-16T17:15:09.327",
"references": [
{
"source": "security@craftersoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
],
"sourceIdentifier": "security@craftersoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-117"
}
],
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-23262
Vulnerability from fkie_nvd - Published: 2021-12-02 16:15 - Updated: 2024-11-21 05:51
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftercms | crafter_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "00C85031-2E92-466B-8935-C065E813B449",
"versionEndExcluding": "3.1.13",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE."
},
{
"lang": "es",
"value": "Los administradores autenticados pueden modificar el archivo principal de configuraci\u00f3n YAML y cargar una clase Java que resulte en RCE"
}
],
"id": "CVE-2021-23262",
"lastModified": "2024-11-21T05:51:27.627",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 3.6,
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-02T16:15:07.680",
"references": [
{
"source": "security@craftersoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120105"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120105"
}
],
"sourceIdentifier": "security@craftersoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-913"
}
],
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-913"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-23259
Vulnerability from fkie_nvd - Published: 2021-12-02 16:15 - Updated: 2024-11-21 05:51
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftercms | crafter_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D6B0250B-7A80-4E49-9502-808764EAFAA7",
"versionEndExcluding": "3.1.12",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE)."
},
{
"lang": "es",
"value": "Los usuarios autenticados con roles de Administrador o Desarrollador pueden ejecutar comandos del sistema operativo mediante el Script Groovy que usa Groovy lib para renderizar una p\u00e1gina web. El script groovy no presenta restricciones de seguridad, lo que causar\u00e1 que atacantes ejecuten comandos arbitrarios de forma remota (RCE)"
}
],
"id": "CVE-2021-23259",
"lastModified": "2024-11-21T05:51:27.207",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 3.6,
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-02T16:15:07.513",
"references": [
{
"source": "security@craftersoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120102"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120102"
}
],
"sourceIdentifier": "security@craftersoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-913"
}
],
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-913"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-23261
Vulnerability from fkie_nvd - Published: 2021-12-02 16:15 - Updated: 2024-11-21 05:51
Severity ?
4.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Summary
Authenticated administrators may override the system configuration file and cause a denial of service.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftercms | crafter_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "00C85031-2E92-466B-8935-C065E813B449",
"versionEndExcluding": "3.1.13",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Authenticated administrators may override the system configuration file and cause a denial of service."
},
{
"lang": "es",
"value": "Los administradores autenticados pueden anular el archivo de configuraci\u00f3n del sistema y causar una denegaci\u00f3n de servicio"
}
],
"id": "CVE-2021-23261",
"lastModified": "2024-11-21T05:51:27.503",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-02T16:15:07.623",
"references": [
{
"source": "security@craftersoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120104"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120104"
}
],
"sourceIdentifier": "security@craftersoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-703"
}
],
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-23260
Vulnerability from fkie_nvd - Published: 2021-12-02 16:15 - Updated: 2024-11-21 05:51
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftercms | crafter_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D6B0250B-7A80-4E49-9502-808764EAFAA7",
"versionEndExcluding": "3.1.12",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site."
},
{
"lang": "es",
"value": "Los usuarios autenticados con roles de Sitio pueden inyectar scripts de tipo XSS por medio de nombres de archivos que ser\u00e1n ejecutados en el navegador para este y otros usuarios del mismo sitio"
}
],
"id": "CVE-2021-23260",
"lastModified": "2024-11-21T05:51:27.373",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 4.7,
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-02T16:15:07.563",
"references": [
{
"source": "security@craftersoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120103"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120103"
}
],
"sourceIdentifier": "security@craftersoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-23264
Vulnerability from fkie_nvd - Published: 2021-12-02 16:15 - Updated: 2024-11-21 05:51
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftercms | crafter_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A5F3CC11-FBDB-48C3-A9E9-87EC6FC09E71",
"versionEndExcluding": "3.1.15",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes."
},
{
"lang": "es",
"value": "Las instalaciones en las que crafter-search no est\u00e1 protegido permiten a atacantes remotos no autenticados crear, visualizar y eliminar \u00edndices de b\u00fasqueda"
}
],
"id": "CVE-2021-23264",
"lastModified": "2024-11-21T05:51:27.873",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-02T16:15:07.787",
"references": [
{
"source": "security@craftersoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107"
}
],
"sourceIdentifier": "security@craftersoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-402"
},
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-23263
Vulnerability from fkie_nvd - Published: 2021-12-02 16:15 - Updated: 2024-11-21 05:51
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftercms | crafter_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A5F3CC11-FBDB-48C3-A9E9-87EC6FC09E71",
"versionEndExcluding": "3.1.15",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary)."
},
{
"lang": "es",
"value": "Los atacantes remotos no autenticados pueden leer contenido textual por medio de FreeMarker incluyendo los archivos /scripts/*, /templates/* y algunos de los archivos en /.git/* (no binarios)"
}
],
"id": "CVE-2021-23263",
"lastModified": "2024-11-21T05:51:27.747",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-02T16:15:07.730",
"references": [
{
"source": "security@craftersoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106"
}
],
"sourceIdentifier": "security@craftersoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-402"
}
],
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-23258
Vulnerability from fkie_nvd - Published: 2021-12-02 16:15 - Updated: 2024-11-21 05:51
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftercms | crafter_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D6B0250B-7A80-4E49-9502-808764EAFAA7",
"versionEndExcluding": "3.1.12",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE)."
},
{
"lang": "es",
"value": "Los usuarios autenticados con roles de Administrador o Desarrollador pueden ejecutar comandos del SO mediante SPEL Expression en Spring beans. SPEL Expression no presenta restricciones de seguridad, lo que causar\u00e1 que atacantes ejecuten comandos arbitrarios de forma remota (RCE)"
}
],
"id": "CVE-2021-23258",
"lastModified": "2024-11-21T05:51:27.057",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 3.6,
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-02T16:15:07.437",
"references": [
{
"source": "security@craftersoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120101"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120101"
}
],
"sourceIdentifier": "security@craftersoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-913"
}
],
"source": "security@craftersoftware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-913"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-26020 (GCVE-0-2023-26020)
Vulnerability from cvelistv5 – Published: 2023-02-17 17:24 – Updated: 2025-03-12 20:05
VLAI?
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.This issue affects CrafterCMS v4.0 from 4.0.0 through 4.0.1, and v3.1 from 3.1.0 through 3.1.26.
Severity ?
5.7 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CrafterCMS | CrafterCMS |
Affected:
4.0.0 , ≤ 4.0.1
(semver)
Affected: 3.1.0 , ≤ 3.1.26 (semver) |
Credits
Gil Correia <gil.correia@devoteam.com>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.craftercms.org/en/4.0/security/advisory.html#cv-2023021701"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-12T20:05:35.144543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-12T20:05:48.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Studio",
"platforms": [
"Linux",
"MacOS",
"Windows",
"x86",
"ARM",
"64 bit"
],
"product": "CrafterCMS",
"vendor": "CrafterCMS",
"versions": [
{
"lessThanOrEqual": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.1.26",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Gil Correia \u003cgil.correia@devoteam.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.\u003cp\u003eThis issue affects CrafterCMS v4.0 from 4.0.0 through 4.0.1, and v3.1 from 3.1.0 through 3.1.26.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.This issue affects CrafterCMS v4.0 from 4.0.0 through 4.0.1, and v3.1 from 3.1.0 through 3.1.26.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-17T17:24:45.089Z",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"url": "https://docs.craftercms.org/en/4.0/security/advisory.html#cv-2023021701"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) in Crafter Studio",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2023-26020",
"datePublished": "2023-02-17T17:24:45.089Z",
"dateReserved": "2023-02-17T17:01:02.361Z",
"dateUpdated": "2025-03-12T20:05:48.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40635 (GCVE-0-2022-40635)
Vulnerability from cvelistv5 – Published: 2022-09-13 18:25 – Updated: 2024-09-16 16:13
VLAI?
Summary
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.
Severity ?
6.4 (Medium)
CWE
- CWE-913 - Improper Control of Dynamically-Managed Code Resources
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , ≤ 3.1.22
(custom)
|
Credits
Matei "Mal" Badanoiu
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.555Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThanOrEqual": "3.1.22",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Matei \"Mal\" Badanoiu"
}
],
"datePublic": "2022-09-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T18:25:10",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Control of Dynamically-Managed Code Resources in Crafter Studio",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2022-09-13T15:42:00.000Z",
"ID": "CVE-2022-40635",
"STATE": "PUBLIC",
"TITLE": "Improper Control of Dynamically-Managed Code Resources in Crafter Studio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.1",
"version_value": "3.1.22"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Matei \"Mal\" Badanoiu"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-913 Improper Control of Dynamically-Managed Code Resources"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2022-40635",
"datePublished": "2022-09-13T18:25:10.622257Z",
"dateReserved": "2022-09-13T00:00:00",
"dateUpdated": "2024-09-16T16:13:57.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40634 (GCVE-0-2022-40634)
Vulnerability from cvelistv5 – Published: 2022-09-13 18:25 – Updated: 2024-09-16 23:36
VLAI?
Summary
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.
Severity ?
6.4 (Medium)
CWE
- CWE-913 - Improper Control of Dynamically-Managed Code Resources
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , ≤ 3.1.22
(custom)
|
Credits
Matei "Mal" Badanoiu
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.586Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThanOrEqual": "3.1.22",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Matei \"Mal\" Badanoiu"
}
],
"datePublic": "2022-09-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T18:25:09",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Control of Dynamically-Managed Code Resources in Crafter Studio",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2022-09-13T15:42:00.000Z",
"ID": "CVE-2022-40634",
"STATE": "PUBLIC",
"TITLE": "Improper Control of Dynamically-Managed Code Resources in Crafter Studio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.1",
"version_value": "3.1.22"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Matei \"Mal\" Badanoiu"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-913 Improper Control of Dynamically-Managed Code Resources"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2022-40634",
"datePublished": "2022-09-13T18:25:09.814692Z",
"dateReserved": "2022-09-13T00:00:00",
"dateUpdated": "2024-09-16T23:36:30.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23267 (GCVE-0-2021-23267)
Vulnerability from cvelistv5 – Published: 2022-05-16 17:05 – Updated: 2024-09-16 23:20
VLAI?
Summary
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.
Severity ?
7.6 (High)
CWE
- CWE-913 - Improper Control of Dynamically-Managed Code Resources
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , ≤ 3.1.17
(custom)
|
Credits
Kai Zhao (ToTU Security Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051603"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThanOrEqual": "3.1.17",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kai Zhao (ToTU Security Team)"
}
],
"datePublic": "2022-05-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-16T17:05:25",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051603"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Control of Dynamically-Managed Code Resources in Crafter Studio",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2022-05-16T14:58:00.000Z",
"ID": "CVE-2021-23267",
"STATE": "PUBLIC",
"TITLE": "Improper Control of Dynamically-Managed Code Resources in Crafter Studio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.1",
"version_value": "3.1.17"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kai Zhao (ToTU Security Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-913 Improper Control of Dynamically-Managed Code Resources"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051603",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051603"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2021-23267",
"datePublished": "2022-05-16T17:05:25.974285Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T23:20:45.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23266 (GCVE-0-2021-23266)
Vulnerability from cvelistv5 – Published: 2022-05-16 17:05 – Updated: 2024-09-16 17:14
VLAI?
Summary
An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator.
Severity ?
4.3 (Medium)
CWE
- CWE-117 - Improper Output Neutralization for Logs
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , ≤ 3.1.17
(custom)
|
Credits
Faizan Ahmad Wani
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThanOrEqual": "3.1.17",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Faizan Ahmad Wani"
}
],
"datePublic": "2022-05-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117 Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-16T17:05:24",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Output Neutralization for Logs in Crafter Studio",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2022-05-16T14:49:00.000Z",
"ID": "CVE-2021-23266",
"STATE": "PUBLIC",
"TITLE": "Improper Output Neutralization for Logs in Crafter Studio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.1",
"version_value": "3.1.17"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Faizan Ahmad Wani"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-117 Improper Output Neutralization for Logs"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2021-23266",
"datePublished": "2022-05-16T17:05:24.567886Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T17:14:27.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23265 (GCVE-0-2021-23265)
Vulnerability from cvelistv5 – Published: 2022-05-16 17:05 – Updated: 2024-09-16 20:36
VLAI?
Summary
A logged-in and authenticated user with a Reviewer Role may lock a content item.
Severity ?
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , ≤ 3.1.17
(custom)
|
Credits
Faizan Ahmad Wani
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThanOrEqual": "3.1.17",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Faizan Ahmad Wani"
}
],
"datePublic": "2022-05-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A logged-in and authenticated user with a Reviewer Role may lock a content item."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-16T17:05:21",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Privilege Management in Crafter Studio",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2022-05-16T13:57:00.000Z",
"ID": "CVE-2021-23265",
"STATE": "PUBLIC",
"TITLE": "Improper Privilege Management in Crafter Studio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.1",
"version_value": "3.1.17"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Faizan Ahmad Wani"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A logged-in and authenticated user with a Reviewer Role may lock a content item."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269 Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2021-23265",
"datePublished": "2022-05-16T17:05:22.145199Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T20:36:21.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23264 (GCVE-0-2021-23264)
Vulnerability from cvelistv5 – Published: 2021-12-02 15:40 – Updated: 2024-09-16 19:15
VLAI?
Summary
Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.
Severity ?
8.1 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , < 3.1.15
(custom)
|
Credits
Sparsh Kulshrestha
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThan": "3.1.15",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sparsh Kulshrestha"
}
],
"datePublic": "2021-12-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-402",
"description": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668 Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-02T15:40:59",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027) and Exposure of Resource to Wrong Sphere in Crafter Search",
"workarounds": [
{
"lang": "en",
"value": "Disable remote access to crafter-search."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2021-12-01T15:40:00.000Z",
"ID": "CVE-2021-23264",
"STATE": "PUBLIC",
"TITLE": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027) and Exposure of Resource to Wrong Sphere in Crafter Search"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.1",
"version_value": "3.1.15"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Sparsh Kulshrestha"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-668 Exposure of Resource to Wrong Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107"
}
]
},
"source": {
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Disable remote access to crafter-search."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2021-23264",
"datePublished": "2021-12-02T15:40:59.160175Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T19:15:49.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23263 (GCVE-0-2021-23263)
Vulnerability from cvelistv5 – Published: 2021-12-02 15:40 – Updated: 2024-09-16 23:36
VLAI?
Summary
Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).
Severity ?
5.9 (Medium)
CWE
- CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , < 3.1.15
(custom)
|
Credits
Carlos Ortiz
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:54.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThan": "3.1.15",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Carlos Ortiz"
}
],
"datePublic": "2021-12-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-402",
"description": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-02T15:40:58",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027) in Crafter Engine",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2021-12-01T15:40:00.000Z",
"ID": "CVE-2021-23263",
"STATE": "PUBLIC",
"TITLE": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027) in Crafter Engine"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.1",
"version_value": "3.1.15"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Carlos Ortiz"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2021-23263",
"datePublished": "2021-12-02T15:40:58.466621Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T23:36:18.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23262 (GCVE-0-2021-23262)
Vulnerability from cvelistv5 – Published: 2021-12-02 15:40 – Updated: 2024-09-16 21:57
VLAI?
Summary
Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE.
Severity ?
4.2 (Medium)
CWE
- CWE-913 - Improper Control of Dynamically-Managed Code Resources
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , < 3.1.13
(custom)
|
Credits
Kai Zhao (ToTU Security Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120105"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThan": "3.1.13",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kai Zhao (ToTU Security Team)"
}
],
"datePublic": "2021-12-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-02T15:40:57",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120105"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Snakeyaml deserialization vulnerability bypass",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2021-12-01T15:40:00.000Z",
"ID": "CVE-2021-23262",
"STATE": "PUBLIC",
"TITLE": "Snakeyaml deserialization vulnerability bypass"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.1",
"version_value": "3.1.13"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kai Zhao (ToTU Security Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-913 Improper Control of Dynamically-Managed Code Resources"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120105",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120105"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2021-23262",
"datePublished": "2021-12-02T15:40:57.695452Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T21:57:11.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26020 (GCVE-0-2023-26020)
Vulnerability from nvd – Published: 2023-02-17 17:24 – Updated: 2025-03-12 20:05
VLAI?
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.This issue affects CrafterCMS v4.0 from 4.0.0 through 4.0.1, and v3.1 from 3.1.0 through 3.1.26.
Severity ?
5.7 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CrafterCMS | CrafterCMS |
Affected:
4.0.0 , ≤ 4.0.1
(semver)
Affected: 3.1.0 , ≤ 3.1.26 (semver) |
Credits
Gil Correia <gil.correia@devoteam.com>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.craftercms.org/en/4.0/security/advisory.html#cv-2023021701"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-12T20:05:35.144543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-12T20:05:48.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Studio",
"platforms": [
"Linux",
"MacOS",
"Windows",
"x86",
"ARM",
"64 bit"
],
"product": "CrafterCMS",
"vendor": "CrafterCMS",
"versions": [
{
"lessThanOrEqual": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.1.26",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Gil Correia \u003cgil.correia@devoteam.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.\u003cp\u003eThis issue affects CrafterCMS v4.0 from 4.0.0 through 4.0.1, and v3.1 from 3.1.0 through 3.1.26.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.This issue affects CrafterCMS v4.0 from 4.0.0 through 4.0.1, and v3.1 from 3.1.0 through 3.1.26.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-17T17:24:45.089Z",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"url": "https://docs.craftercms.org/en/4.0/security/advisory.html#cv-2023021701"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) in Crafter Studio",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2023-26020",
"datePublished": "2023-02-17T17:24:45.089Z",
"dateReserved": "2023-02-17T17:01:02.361Z",
"dateUpdated": "2025-03-12T20:05:48.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40635 (GCVE-0-2022-40635)
Vulnerability from nvd – Published: 2022-09-13 18:25 – Updated: 2024-09-16 16:13
VLAI?
Summary
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.
Severity ?
6.4 (Medium)
CWE
- CWE-913 - Improper Control of Dynamically-Managed Code Resources
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , ≤ 3.1.22
(custom)
|
Credits
Matei "Mal" Badanoiu
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.555Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThanOrEqual": "3.1.22",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Matei \"Mal\" Badanoiu"
}
],
"datePublic": "2022-09-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T18:25:10",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Control of Dynamically-Managed Code Resources in Crafter Studio",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2022-09-13T15:42:00.000Z",
"ID": "CVE-2022-40635",
"STATE": "PUBLIC",
"TITLE": "Improper Control of Dynamically-Managed Code Resources in Crafter Studio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.1",
"version_value": "3.1.22"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Matei \"Mal\" Badanoiu"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-913 Improper Control of Dynamically-Managed Code Resources"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2022-40635",
"datePublished": "2022-09-13T18:25:10.622257Z",
"dateReserved": "2022-09-13T00:00:00",
"dateUpdated": "2024-09-16T16:13:57.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40634 (GCVE-0-2022-40634)
Vulnerability from nvd – Published: 2022-09-13 18:25 – Updated: 2024-09-16 23:36
VLAI?
Summary
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.
Severity ?
6.4 (Medium)
CWE
- CWE-913 - Improper Control of Dynamically-Managed Code Resources
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , ≤ 3.1.22
(custom)
|
Credits
Matei "Mal" Badanoiu
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.586Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThanOrEqual": "3.1.22",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Matei \"Mal\" Badanoiu"
}
],
"datePublic": "2022-09-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T18:25:09",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Control of Dynamically-Managed Code Resources in Crafter Studio",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2022-09-13T15:42:00.000Z",
"ID": "CVE-2022-40634",
"STATE": "PUBLIC",
"TITLE": "Improper Control of Dynamically-Managed Code Resources in Crafter Studio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.1",
"version_value": "3.1.22"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Matei \"Mal\" Badanoiu"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-913 Improper Control of Dynamically-Managed Code Resources"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2022-40634",
"datePublished": "2022-09-13T18:25:09.814692Z",
"dateReserved": "2022-09-13T00:00:00",
"dateUpdated": "2024-09-16T23:36:30.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23267 (GCVE-0-2021-23267)
Vulnerability from nvd – Published: 2022-05-16 17:05 – Updated: 2024-09-16 23:20
VLAI?
Summary
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.
Severity ?
7.6 (High)
CWE
- CWE-913 - Improper Control of Dynamically-Managed Code Resources
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , ≤ 3.1.17
(custom)
|
Credits
Kai Zhao (ToTU Security Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051603"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThanOrEqual": "3.1.17",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kai Zhao (ToTU Security Team)"
}
],
"datePublic": "2022-05-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-16T17:05:25",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051603"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Control of Dynamically-Managed Code Resources in Crafter Studio",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2022-05-16T14:58:00.000Z",
"ID": "CVE-2021-23267",
"STATE": "PUBLIC",
"TITLE": "Improper Control of Dynamically-Managed Code Resources in Crafter Studio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.1",
"version_value": "3.1.17"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kai Zhao (ToTU Security Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-913 Improper Control of Dynamically-Managed Code Resources"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051603",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051603"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2021-23267",
"datePublished": "2022-05-16T17:05:25.974285Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T23:20:45.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23266 (GCVE-0-2021-23266)
Vulnerability from nvd – Published: 2022-05-16 17:05 – Updated: 2024-09-16 17:14
VLAI?
Summary
An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator.
Severity ?
4.3 (Medium)
CWE
- CWE-117 - Improper Output Neutralization for Logs
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , ≤ 3.1.17
(custom)
|
Credits
Faizan Ahmad Wani
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThanOrEqual": "3.1.17",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Faizan Ahmad Wani"
}
],
"datePublic": "2022-05-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117 Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-16T17:05:24",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Output Neutralization for Logs in Crafter Studio",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2022-05-16T14:49:00.000Z",
"ID": "CVE-2021-23266",
"STATE": "PUBLIC",
"TITLE": "Improper Output Neutralization for Logs in Crafter Studio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.1",
"version_value": "3.1.17"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Faizan Ahmad Wani"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-117 Improper Output Neutralization for Logs"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2021-23266",
"datePublished": "2022-05-16T17:05:24.567886Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T17:14:27.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23265 (GCVE-0-2021-23265)
Vulnerability from nvd – Published: 2022-05-16 17:05 – Updated: 2024-09-16 20:36
VLAI?
Summary
A logged-in and authenticated user with a Reviewer Role may lock a content item.
Severity ?
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , ≤ 3.1.17
(custom)
|
Credits
Faizan Ahmad Wani
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThanOrEqual": "3.1.17",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Faizan Ahmad Wani"
}
],
"datePublic": "2022-05-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A logged-in and authenticated user with a Reviewer Role may lock a content item."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-16T17:05:21",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Privilege Management in Crafter Studio",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2022-05-16T13:57:00.000Z",
"ID": "CVE-2021-23265",
"STATE": "PUBLIC",
"TITLE": "Improper Privilege Management in Crafter Studio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.1",
"version_value": "3.1.17"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Faizan Ahmad Wani"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A logged-in and authenticated user with a Reviewer Role may lock a content item."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269 Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2021-23265",
"datePublished": "2022-05-16T17:05:22.145199Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T20:36:21.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23264 (GCVE-0-2021-23264)
Vulnerability from nvd – Published: 2021-12-02 15:40 – Updated: 2024-09-16 19:15
VLAI?
Summary
Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.
Severity ?
8.1 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , < 3.1.15
(custom)
|
Credits
Sparsh Kulshrestha
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThan": "3.1.15",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sparsh Kulshrestha"
}
],
"datePublic": "2021-12-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-402",
"description": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668 Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-02T15:40:59",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027) and Exposure of Resource to Wrong Sphere in Crafter Search",
"workarounds": [
{
"lang": "en",
"value": "Disable remote access to crafter-search."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2021-12-01T15:40:00.000Z",
"ID": "CVE-2021-23264",
"STATE": "PUBLIC",
"TITLE": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027) and Exposure of Resource to Wrong Sphere in Crafter Search"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.1",
"version_value": "3.1.15"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Sparsh Kulshrestha"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-668 Exposure of Resource to Wrong Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107"
}
]
},
"source": {
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Disable remote access to crafter-search."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2021-23264",
"datePublished": "2021-12-02T15:40:59.160175Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T19:15:49.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23263 (GCVE-0-2021-23263)
Vulnerability from nvd – Published: 2021-12-02 15:40 – Updated: 2024-09-16 23:36
VLAI?
Summary
Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).
Severity ?
5.9 (Medium)
CWE
- CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , < 3.1.15
(custom)
|
Credits
Carlos Ortiz
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:54.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThan": "3.1.15",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Carlos Ortiz"
}
],
"datePublic": "2021-12-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-402",
"description": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-02T15:40:58",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027) in Crafter Engine",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2021-12-01T15:40:00.000Z",
"ID": "CVE-2021-23263",
"STATE": "PUBLIC",
"TITLE": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027) in Crafter Engine"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.1",
"version_value": "3.1.15"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Carlos Ortiz"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2021-23263",
"datePublished": "2021-12-02T15:40:58.466621Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T23:36:18.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}