eval.blog

❯

❯

CVE-2021-27902

Jul 29, 20211 min read

Cross Site Scripting in CraftCMS

Reported a stored cross-site scripting vulnerability in CraftCMS that was assigned CVE-2021-27902. The issue arose from an unrestricted file upload feature, where HTML files were allowed by default.

References

https://nvd.nist.gov/vuln/detail/CVE-2021-27902
https://eval.blog/research/craftcms-zero-day-ssti-xss-triggering-rce
https://github.com/craftcms/cms/commit/8ee85a8f03c143fa2420e7d6f311d95cae3b19ce

Graph View

Cross Site Scripting in CraftCMS
References

Backlinks

CVE-2021-27903
CraftCMS Zero-day Chain: XSS to SSTI triggering RCE

Copyright Vikrant Singh Chauhan © 2025

GitHub
Linkedin
Twitter
Mastodon