Remote Code Execution in Craft CMS by Pixel & Tonic
CVE-2021-27903

9.8CRITICAL

Key Information:

Vendor

Craftcms

Status
Craft Cms
Vendor
CVE Published:
30 June 2021

What is CVE-2021-27903?

Craft CMS versions prior to 3.6.7 have a vulnerability that could allow an attacker to execute remote code. This occurs on sites where administrative changes are not well-restricted, potentially allowing the hijacking of an administrator's session. Proper session management and access controls are critical to mitigating this risk and safeguarding against unauthorized access.

References

https://github.com/craftcms/cms/blob/develop/CHANGELOG.md...
x_refsource_MISC
https://github.com/craftcms/cms/commit/c17728fa0bec11d3b8...
x_refsource_MISC
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.