Skip to main content

Crafter Cms CVE-2017-15683

HIGH
XML Injection (aka Blind XPath Injection) (CWE-91)
2020-11-27 cve@mitre.org
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 27, 2020 - 18:15 nvd
HIGH 8.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 maven packages depend on org.craftercms:crafter-core (2 direct, 1 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionNVD

In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.

AnalysisAI

In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-91. In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band. Affected products include: Craftercms Crafter Cms.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2018-19907 HIGH POC
8.8 Dec 06

A Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Rated high severity (CVSS 8.8), this vulner

CVE-2017-15681 CRITICAL
9.8 Nov 27

In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated attackers to

CVE-2021-23264 CRITICAL
9.1 Dec 02

Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete

CVE-2017-15685 HIGH
8.6 Nov 27

Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). Rated high severity (CVSS 8.6), this vulnera

CVE-2017-15684 HIGH
7.5 Nov 27

Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view

CVE-2021-23263 HIGH
7.5 Dec 02

Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and so

CVE-2023-26020 HIGH
7.2 Feb 17

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on

CVE-2022-40635 HIGH
7.2 Sep 13

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticat

CVE-2022-40634 HIGH
7.2 Sep 13

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticat

CVE-2021-23262 HIGH
7.2 Dec 02

Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE. Rated h

CVE-2021-23259 HIGH
7.2 Dec 02

Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib

CVE-2021-23258 HIGH
7.2 Dec 02

Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. Ra

Share

CVE-2017-15683 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy