Описание
Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE).
Ссылки
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 3.1.0 (включая) до 3.1.12 (исключая)
cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*
EPSS
Процентиль: 60%
0.00391
Низкий
4.2 Medium
CVSS3
7.2 High
CVSS3
6.5 Medium
CVSS2
Дефекты
CWE-913
CWE-913
Связанные уязвимости
github
около 4 лет назад
Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE).
EPSS
Процентиль: 60%
0.00391
Низкий
4.2 Medium
CVSS3
7.2 High
CVSS3
6.5 Medium
CVSS2
Дефекты
CWE-913
CWE-913