Crafty Controller
Monthly
Crafty Controller Users API allows authenticated administrators with high privileges to modify other user accounts due to improper API permission validation. Despite requiring PR:H (high privileges) and authentication, the vulnerability achieves CVSS 9.0 due to scope change, enabling privilege escalation and potential system-wide compromise. GitLab reports this as an authentication bypass affecting Crafty Controller by Arcadia Technology, LLC. No CISA KEV listing or public exploit code identified at time of analysis, though the authentication bypass tag suggests deviation from intended access controls even for privileged users.
Path traversal in Crafty Controller game server management allows authenticated attackers to read/write files outside the intended directory. CVSS 9.9 with scope change.
Remote code execution in Crafty Controller's Backup Configuration feature results from insufficient path traversal validation, enabling authenticated attackers to manipulate files and execute arbitrary code on affected systems. The vulnerability requires valid credentials and specific conditions to exploit but carries high impact due to its ability to compromise system integrity and confidentiality. No patch is currently available.
Stored cross-site scripting (XSS) vulnerability in Crafty Controller that allows authenticated attackers to inject malicious JavaScript through the Server Name form and API Key form components. An attacker with valid credentials can craft malicious input that persists in the application, executing arbitrary scripts in other users' browsers with the same security context. While CVSS 7.6 indicates high severity and the vulnerability requires low attack complexity with network accessibility, real-world risk is constrained by the requirement for prior authentication and user interaction.
Crafty Controller Users API allows authenticated administrators with high privileges to modify other user accounts due to improper API permission validation. Despite requiring PR:H (high privileges) and authentication, the vulnerability achieves CVSS 9.0 due to scope change, enabling privilege escalation and potential system-wide compromise. GitLab reports this as an authentication bypass affecting Crafty Controller by Arcadia Technology, LLC. No CISA KEV listing or public exploit code identified at time of analysis, though the authentication bypass tag suggests deviation from intended access controls even for privileged users.
Path traversal in Crafty Controller game server management allows authenticated attackers to read/write files outside the intended directory. CVSS 9.9 with scope change.
Remote code execution in Crafty Controller's Backup Configuration feature results from insufficient path traversal validation, enabling authenticated attackers to manipulate files and execute arbitrary code on affected systems. The vulnerability requires valid credentials and specific conditions to exploit but carries high impact due to its ability to compromise system integrity and confidentiality. No patch is currently available.
Stored cross-site scripting (XSS) vulnerability in Crafty Controller that allows authenticated attackers to inject malicious JavaScript through the Server Name form and API Key form components. An attacker with valid credentials can craft malicious input that persists in the application, executing arbitrary scripts in other users' browsers with the same security context. While CVSS 7.6 indicates high severity and the vulnerability requires low attack complexity with network accessibility, real-world risk is constrained by the requirement for prior authentication and user interaction.