CVE-2024-21622

Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
ADJACENT_NETWORK
LOW
LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
GitHub_MCNA
5.4 MEDIUM
ADJACENT_NETWORK
LOW
LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
VendorProductVersion
craftcmscraft_cms
3.0.0 ≤
𝑥
< 3.9.6
craftcmscraft_cms
4.0.0 ≤
𝑥
≤ 4.5.15
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16
https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16
https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa
https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843
https://github.com/craftcms/cms/pull/13931
https://github.com/craftcms/cms/pull/13932
https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16
https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16
https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa
https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843
https://github.com/craftcms/cms/pull/13931
https://github.com/craftcms/cms/pull/13932
https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx