CVE-2021-27903

CRITICAL

Craft CMS < 3.6.7 - Remote Code Execution via Administrative Session Hijack

Title source: llm

Description

An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session).

References (3)

Core 3

Core References

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#security

View Writeup ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://github.com/craftcms/cms/commit/c17728fa0bec11d3b82c34defe0930ed409aec38

View Patch ZIP pw:eip

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#367---2021-02-23

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0282

EPSS Percentile 84.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-862

Status published

Products (2)

craftcms/cms 0 - 3.6.7Packagist

craftcms/craft_cms < 3.6.7

Published Jun 30, 2021

Tracked Since Feb 18, 2026