CVE-2021-23258

MEDIUM

Spring - RCE

Title source: llm

Description

Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE).

References (1)

[Vendor Advisory] https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120101

Scores

CVSS v3 4.2

EPSS 0.0034

EPSS Percentile 56.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

Details

CWE

CWE-913

Status published

Products (1)

craftercms/crafter_cms 3.1.0 - 3.1.12

Published Dec 02, 2021

Tracked Since Feb 18, 2026