CVE-2021-23259

MEDIUM

Groovy Script - RCE

Title source: llm

Description

Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE).

References (1)

[Vendor Advisory] https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120102

Scores

CVSS v3 4.2

EPSS 0.0039

EPSS Percentile 60.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

Details

CWE

CWE-913

Status published

Products (1)

craftercms/crafter_cms 3.1.0 - 3.1.12

Published Dec 02, 2021

Tracked Since Feb 18, 2026