Security Advisories - craftcms/cms

craftcms/cms Security Advisories for 4.3.8.1 (15)

[HIGH] Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI

PKSA-4wwj-2m42-9pp5 CVE-2024-52293 GHSA-f3cw-hg6r-chfv

Affected version: >=5.0.0-RC1,<=5.4.2|>=4.0.0-RC1,<=4.12.1

Reported by:
GitHub
[HIGH] Craft CMS Arbitrary System File Read

PKSA-jkbm-w624-yb7q CVE-2024-52292 GHSA-cw6g-qmjq-6w2w

Affected version: >=3.5.13,<=4.12.6.1|>=5.0.0-alpha.1,<=5.4.7.1

Reported by:
GitHub
[HIGH] Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution

PKSA-mtjx-x487-29s9 CVE-2024-52291 GHSA-jrh5-vhr9-qh7q

Affected version: >=4.0.0-RC1,<=4.12.4.1|>=5.0.0-RC1,<=5.4.5.1

Reported by:
GitHub
[MEDIUM] Craft CMS Feed-Me

PKSA-yq9g-7wmy-ph9w CVE-2023-36260 GHSA-6p78-f7h9-6838

Affected version: <4.6.2

Reported by:
GitHub
[MEDIUM] Craft CMS Privilege Escalation

PKSA-gcgv-38nz-y8bs CVE-2024-21622 GHSA-j5g9-j7r4-6qvx

Affected version: >=3.0.0,<=3.9.5|>=4.0.0-RC1,<=4.5.10

Reported by:
GitHub
[CRITICAL] Craft CMS Remote Code Execution vulnerability

PKSA-zdwv-2yjx-tdbf CVE-2023-41892 GHSA-4w8r-3xrw-v25g

Affected version: >=4.0.0-RC1,<=4.4.14

Reported by:
GitHub
[HIGH] Craft CMS vulnerable to Remote Code Execution via validatePath bypass

PKSA-cdfq-1syy-3hcn CVE-2023-40035 GHSA-44wr-rmwq-3phw

Affected version: >=3.0.0,<=3.8.14|>=4.0.0-RC1,<=4.4.14

Reported by:
GitHub
[MEDIUM] Craft CMS vulnerable to HTML injection

PKSA-htxf-m811-km69 CVE-2023-33495 GHSA-m3v5-gjj9-rg24

Affected version: <=4.4.9

Reported by:
GitHub
[MEDIUM] Stored cross site scripting in Craft CMS

PKSA-j8mx-rm6f-69pz CVE-2023-2817 GHSA-7x94-jx75-3gh6

Affected version: >=4.0.0-RC1,<4.4.12

Reported by:
GitHub
[MEDIUM] Craft CMS stored XSS in indexedVolumes

PKSA-xrqk-w2n4-gbx4 CVE-2023-33197 GHSA-6qjx-787v-6pxr

Affected version: >=4.0.0-RC1,<=4.4.5

Reported by:
GitHub
[MEDIUM] Craft CMS stored XSS in review volume

PKSA-d3nn-kdfd-kcm5 CVE-2023-33196 GHSA-cjmm-x9x9-m2w5

Affected version: >=4.0.0-RC1,<=4.4.6

Reported by:
GitHub
[MEDIUM] Craft CMS XSS in RSS widget feed

PKSA-nyt9-b7wg-tdq3 CVE-2023-33195 GHSA-qpgm-gjgf-8c2x

Affected version: >=4.3.0,<=4.4.5

Reported by:
GitHub
[LOW] CraftCMS stored XSS in Quick Post widget error message

PKSA-yhf6-73qh-nrcp CVE-2023-33194 GHSA-3wxg-w96j-8hq9

Affected version: >=3.0.0,<=3.8.5|>=4.0.0-RC1,<4.4.6

Reported by:
GitHub
[HIGH] Craft CMS vulnerable to Remote Code Execution via unrestricted file extension

PKSA-trjg-y1pb-yh98 CVE-2023-32679 GHSA-vqxf-r9ph-cc9c

Affected version: >=4.0.0,<4.4.6

Reported by:
GitHub
[MEDIUM] craftcms/cms vulnerable to cross site scripting in RSS feed widget

PKSA-wgr5-shk8-4nmh CVE-2023-31144 GHSA-j4mx-98hw-6rv6

Affected version: >=4.0.0,<=4.4.3|>=3.0.0,<=3.8.3

Reported by:
GitHub

craftcms/cms Security Advisories for 4.3.8.1 (15)

[HIGH] Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI

[HIGH] Craft CMS Arbitrary System File Read

[HIGH] Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution

[MEDIUM] Craft CMS Feed-Me

[MEDIUM] Craft CMS Privilege Escalation

[CRITICAL] Craft CMS Remote Code Execution vulnerability

[HIGH] Craft CMS vulnerable to Remote Code Execution via validatePath bypass

[MEDIUM] Craft CMS vulnerable to HTML injection

[MEDIUM] Stored cross site scripting in Craft CMS

[MEDIUM] Craft CMS stored XSS in indexedVolumes

[MEDIUM] Craft CMS stored XSS in review volume

[MEDIUM] Craft CMS XSS in RSS widget feed

[LOW] CraftCMS stored XSS in Quick Post widget error message

[HIGH] Craft CMS vulnerable to Remote Code Execution via unrestricted file extension

[MEDIUM] craftcms/cms vulnerable to cross site scripting in RSS feed widget