Craftercms Crafter Cms — known CVE vulnerabilities
Every CVE whose affected-product data names Craftercms Crafter Cms, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (21)
CVE-2017-15681 — CVSS 9.8 (critical): In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files…
CVE-2018-19907 — CVSS 8.8 (high): A Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Attackers with developer privileges may execute OS commands by…
CVE-2017-15683 — CVSS 8.6 (high): In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the…
CVE-2017-15685 — CVSS 8.6 (high): Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site with…
CVE-2021-23264 — CVSS 8.1 (high): Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.
CVE-2021-23267 — CVSS 7.6 (high): Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to…
CVE-2017-15684 — CVSS 7.5 (high): Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the…
CVE-2017-15680 — CVSS 6.5 (medium): In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative…
CVE-2021-23260 — CVSS 6.5 (medium): Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the…
CVE-2022-40634 — CVSS 6.4 (medium): Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to…
CVE-2022-40635 — CVSS 6.4 (medium): Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to…
CVE-2017-15682 — CVSS 6.1 (medium): In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS…
CVE-2017-15686 — CVSS 6.1 (medium): Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies.
CVE-2021-23263 — CVSS 5.9 (medium): Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in…
CVE-2023-26020 — CVSS 5.7 (medium): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on Linux, MacOS…
CVE-2021-23261 — CVSS 4.5 (medium): Authenticated administrators may override the system configuration file and cause a denial of service.
CVE-2021-23266 — CVSS 4.3 (medium): An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the…
CVE-2021-23259 — CVSS 4.2 (medium): Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a…
CVE-2021-23262 — CVSS 4.2 (medium): Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE.
CVE-2021-23258 — CVSS 4.2 (medium): Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does…