Aggregates CVE and security vulnerability intelligence across all croogo-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk cross-site scripting and vendor risk path handling; exposure may include vendor impact session compromise and vendor impact file overwrite in vendor surface software deployment contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-42718 | A path traversal vulnerability in Croogo CMS 4.0.7 allows remote attackers to read arbitrary files via a specially crafted path in the 'edit-file' parameter. | [email protected] | 6.5 | 0.02% | 2025-12-26 | 2025-12-31 |
| CVE-2024-29643 | An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component. | [email protected] | 9.1 | 0.14% | 2025-04-18 | 2025-05-28 |
| CVE-2021-44673 | A Remote Code Execution (RCE) vulnerability exists in Croogo 3.0.2via admin/file-manager/attachments, which lets a malicoius user upload a web shell script. | [email protected] | 8.8 | 3.54% | 2022-03-10 | 2024-11-21 |
| CVE-2019-20789 | Croogo before 3.0.7 allows XSS via the title to admin/menus/menus or admin/taxonomy/vocabularies. | [email protected] | 4.8 | 0.32% | 2020-04-26 | 2024-11-21 |
| CVE-2019-7173 | A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/file-manager/attachments/edit/4. | [email protected] | 4.8 | 0.22% | 2019-01-29 | 2024-11-21 |
| CVE-2019-7171 | A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/blocks/blocks/edit/8. | [email protected] | 4.8 | 0.22% | 2019-01-29 | 2024-11-21 |
| CVE-2019-7170 | A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/taxonomy/vocabularies. | [email protected] | 4.8 | 0.22% | 2019-01-29 | 2024-11-21 |
| CVE-2019-7169 | A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/menus/menus/edit/3. | [email protected] | 4.8 | 0.22% | 2019-01-29 | 2024-11-21 |
| CVE-2019-7168 | A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Blog field to /admin/nodes/nodes/add/blog. | [email protected] | 4.8 | 0.22% | 2019-01-29 | 2024-11-21 |
| CVE-2017-1000510 | Croogo version 2.3.1-17-g6f82e6c contains a Cross Site Scripting (XSS) vulnerability in Page name that can result in execution of javascript code. | [email protected] | 5.4 | 0.32% | 2018-02-09 | 2024-11-21 |
| CVE-2015-1053 | Cross-site scripting (XSS) vulnerability in the administrative backend in Croogo before 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the path parameter to admin/file_manager/file_manager/editfile. | [email protected] | 4.3 | 0.54% | 2015-01-16 | 2026-05-06 |
| CVE-2014-8577 | Multiple cross-site scripting (XSS) vulnerabilities in Croogo before 2.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Contact][title] parameter to admin/contacts/contacts/add page; (2) data[Block][title] or (3) data[Block][alias] parameter to admin/blocks/blocks/edit page; (4) data[Region][title] parameter to admin/blocks/regions/add page; (5) data[Menu][title] or (6) data[Menu][alias] parameter to admin/menus/menus/add page; or (7) data[Link][title] parameter | [email protected] | 4.3 | 13.09% | 2014-10-31 | 2026-05-06 |