crafty-controller/crafty-4
CVE History
| CVE | Published | CVSS v3 | CVSS v2 |
|---|---|---|---|
| 9 CRITICAL | — | ||
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation. | |||
| 9.9 CRITICAL | — | ||
An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal. | |||
| 8.2 HIGH | — | ||
An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal. | |||
| 9.9 CRITICAL | — | ||
An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection. | |||
| 7.1 HIGH | — | ||
An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification. | |||
| 7.6 HIGH | — | ||
An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input. | |||
| 7.5 HIGH | — | ||
A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header | |||