CVE-2020-9322
HIGHStatamic Core < 2.11.8 - Cross-Site Request Forgery and Stored Cross-Site Scripting via Username
Title source: llmDescription
The /users endpoint in Statamic Core before 2.11.8 allows XSS to add an administrator user. This can be exploited via CSRF. Stored XSS can occur via a JavaScript payload in a username during account registration. Reflected XSS can occur via the /users PATH_INFO.
References (3)
Core 3
Core References
Various Sources
https://statamic.com/changelog#2.11.18
Scores
CVSS v3
8.8
EPSS
0.0024
EPSS Percentile
14.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-352
CWE-79
Status
published
Published
Aug 08, 2025
Tracked Since
Feb 18, 2026