Description

An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session).

Remediation

References

CVE-2021-27903

Related Vulnerabilities

Oracle Database Server Other Vulnerability (CVE-2005-0701)

OpenSSL Improper Authentication Vulnerability (CVE-2009-0653)

Cherokee Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2019-20799)

Apache HTTP Server Improper Neutralization of CRLF Sequences ('CRLF Injection') Vulnerability (CVE-2016-4975)

PHP Numeric Errors Vulnerability (CVE-2015-4021)

Severity

Critical

Classification

CVE-2021-27903 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities