CVE-2024-21622: Craft CMS Privilege Escalation

5.4 CVSS

Description

Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.

Classification

CVE ID: CVE-2024-21622

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

Problem Types

CWE-269: Improper Privilege Management

Affected Products

Vendor: craftcms

Product: cms

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.1% (probability of being exploited)

EPSS Percentile: 29.53% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-21622
https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx
https://github.com/craftcms/cms/pull/13931
https://github.com/craftcms/cms/pull/13932
https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa
https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16
https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16

Timeline

2025-04-17 19:40:17 UTC
CVE

Craft CMS Privilege Escalation