CVE-2024-21622

MEDIUM

Craftcms Craft Cms < 3.9.6 - Improper Privilege Management

Title source: rule

Description

Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.

References (7)

Core 7

Core References

Vendor Advisory x_refsource_confirm

https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx

Issue Tracking, Patch x_refsource_misc

https://github.com/craftcms/cms/pull/13931

Issue Tracking, Patch x_refsource_misc

https://github.com/craftcms/cms/pull/13932

Patch x_refsource_misc

https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843

View Patch ZIP pw:eip

Release Notes x_refsource_misc

https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16

Release Notes x_refsource_misc

https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16

Scores

CVSS v3 5.4

EPSS 0.0010

EPSS Percentile 27.6%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-269

Status published

Products (2)

craftcms/cms 4.0.0-RC1 - 4.5.11Packagist

craftcms/craft_cms 3.0.0 - 3.9.6

Published Jan 03, 2024

Tracked Since Feb 18, 2026