5.3 MEDIUM
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): Low (L)
- Vulnerable System Impact Integrity (VI): None (N)
- Vulnerable System Impact Availability (VA): None (N)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Exploit Maturity (E): Not Defined (X)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
- Modified Vulnerable System Impact Integrity (MVI): None (N)
- Modified Vulnerable System Impact Availability (MVA): None (N)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse dismissed (not in Nixpkgs)
Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization
A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is possible to be carried out remotely. Upgrading to version 4.18.1 addresses this issue. Patch name: 9ee53efc1314e6aba32771c66a13e072a246f4ce. It is suggested to upgrade the affected component.
References
-
VDB-376388 | Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization vdb-entrytechnical-description
-
-
CVE-2026-14794 | CVE Analysis and Report third-party-advisory
-
Submit #850793 | Craftcms CMS 5.10.1 Improper Access Controls third-party-advisory
Affected products
- ==4.18.1
- ==4.18.0.1
- ==4.18.0.0
Matching in nixpkgs
pkgs.cmst
QT GUI for Connman with system tray icon
-
nixos-unstable 2023.03.14
- nixpkgs-unstable 2023.03.14
- nixos-unstable-small 2023.03.14
-
nixos-26.05 2023.03.14
- nixos-26.05-small 2023.03.14
- nixpkgs-26.05-darwin 2023.03.14
pkgs.lcms
Color management engine
pkgs.lcms1
Color management engine
pkgs.lcms2
Color management engine
pkgs.cppcms
High Performance C++ Web Framework
-
nixos-unstable 2.0.0.beta2
- nixpkgs-unstable 2.0.0.beta2
- nixos-unstable-small 2.0.0.beta2
-
nixos-26.05 2.0.0.beta2
- nixos-26.05-small 2.0.0.beta2
- nixpkgs-26.05-darwin 2.0.0.beta2
pkgs.xcmsdb
Device Color Characterization utility for X Color Management System
pkgs.argyllcms
Color management system (compatible with ICC)
pkgs.pcmsolver
API for the Polarizable Continuum Model
pkgs.luaPackages.lua-cmsgpack
MessagePack C implementation and bindings for Lua 5.1/5.2/5.3
pkgs.lua51Packages.lua-cmsgpack
MessagePack C implementation and bindings for Lua 5.1/5.2/5.3
pkgs.lua52Packages.lua-cmsgpack
MessagePack C implementation and bindings for Lua 5.1/5.2/5.3
pkgs.lua53Packages.lua-cmsgpack
MessagePack C implementation and bindings for Lua 5.1/5.2/5.3
pkgs.lua54Packages.lua-cmsgpack
MessagePack C implementation and bindings for Lua 5.1/5.2/5.3
pkgs.lua55Packages.lua-cmsgpack
MessagePack C implementation and bindings for Lua 5.1/5.2/5.3
pkgs.python313Packages.cmsdials
Python API client interface to CMS DIALS service
pkgs.python313Packages.dcmstack
DICOM to Nifti conversion preserving metadata
-
nixos-unstable 0.9-unstable-2024-12-05
- nixpkgs-unstable 0.9-unstable-2024-12-05
- nixos-unstable-small 0.9-unstable-2024-12-05
-
nixos-26.05 0.9-unstable-2024-12-05
- nixos-26.05-small 0.9-unstable-2024-12-05
- nixpkgs-26.05-darwin 0.9-unstable-2024-12-05
pkgs.python314Packages.cmsdials
Python API client interface to CMS DIALS service
pkgs.python314Packages.dcmstack
DICOM to Nifti conversion preserving metadata
-
nixos-unstable 0.9-unstable-2024-12-05
- nixpkgs-unstable 0.9-unstable-2024-12-05
- nixos-unstable-small 0.9-unstable-2024-12-05
-
nixos-26.05 0.9-unstable-2024-12-05
- nixos-26.05-small 0.9-unstable-2024-12-05
- nixpkgs-26.05-darwin 0.9-unstable-2024-12-05
pkgs.python313Packages.cmsis-svd
CMSIS SVD parser
pkgs.python313Packages.pyemoncms
Python library for emoncms API
pkgs.python314Packages.cmsis-svd
CMSIS SVD parser
pkgs.python314Packages.pyemoncms
Python library for emoncms API
pkgs.python313Packages.django-cms
Lean enterprise content management powered by Django
pkgs.python314Packages.django-cms
Lean enterprise content management powered by Django
pkgs.python313Packages.djangocms-alias
Lean enterprise content management powered by Django
pkgs.python314Packages.djangocms-alias
Lean enterprise content management powered by Django
pkgs.vscode-extensions.cmschuetz12.wal
None
pkgs.python313Packages.cmsis-pack-manager
Rust and Python module for handling CMSIS Pack files
pkgs.python314Packages.cmsis-pack-manager
Rust and Python module for handling CMSIS Pack files
pkgs.python313Packages.djangocms-admin-style
Django Theme tailored to the needs of django CMS
pkgs.python314Packages.djangocms-admin-style
Django Theme tailored to the needs of django CMS
pkgs.python313Packages.djangocms-text-ckeditor
Text Plugin for django CMS using CKEditor 4
Package maintainers
-
@matejc Matej Cotman <cotman.matej@gmail.com>
-
@romildo José Romildo Malaquias <malaquias@gmail.com>
-
@juliendehos Julien Dehos <dehos@lisic.univ-littoral.fr>
-
@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>
-
@ShamrockLee Yueh-Shun Li <shamrocklee@posteo.net>
-
@jollheef Mikhail Klementev <root@dumpstack.io>
-
@bcdarwin Ben Darwin <bcdarwin@gmail.com>
-
@onny Jonas Heinrich <onny@project-insanity.org>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>