CVE-2024-21622

low-risk
Published 2024-01-03

Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.

Do I need to act?

-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
ADJACENT_NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Craftcms

References (14)

Release Notes https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16
Release Notes https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16
Patch https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa
Patch https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843
Issue Tracking https://github.com/craftcms/cms/pull/13931
Issue Tracking https://github.com/craftcms/cms/pull/13932
Vendor Advisory https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx
Release Notes https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16
Release Notes https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16
Patch https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa
Patch https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843
Issue Tracking https://github.com/craftcms/cms/pull/13931
Issue Tracking https://github.com/craftcms/cms/pull/13932
Vendor Advisory https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal