CVE-2020-25802

MEDIUM

Crafter CMS <3.0.27, <3.1.7 - Command Injection

Title source: llm

Description

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy scripting. This issue affects: Crafter Software Crafter CMS 3.0 versions prior to 3.0.27; 3.1 versions prior to 3.1.7.

References (1)

[Vendor Advisory] https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2020080101

Scores

CVSS v3 4.2

EPSS 0.0043

EPSS Percentile 62.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

Details

CWE

CWE-913

Status published

Products (2)

craftercms/studio 3.0.0 - 3.0.27

org.craftercms/crafter-studio 3.0 - 3.0.27Maven

Published Oct 06, 2020

Tracked Since Feb 18, 2026