Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities found for crafty_controller by craftycontrol
CVE-2026-0963 (GCVE-0-2026-0963)
Vulnerability from nvd – Published: 2026-01-30 06:04 – Updated: 2026-02-02 16:33
VLAI?
Title
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
Summary
An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Severity ?
9.9 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.7.0 , < 4.8.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T14:24:06.892805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T16:33:26.381Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThan": "4.8.0",
"status": "affected",
"version": "4.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T06:04:05.503Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #660",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/660"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.8.0"
}
],
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-0963",
"datePublished": "2026-01-30T06:04:05.503Z",
"dateReserved": "2026-01-14T20:14:16.821Z",
"dateUpdated": "2026-02-02T16:33:26.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0805 (GCVE-0-2026-0805)
Vulnerability from nvd – Published: 2026-01-30 06:04 – Updated: 2026-02-02 16:33
VLAI?
Title
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
Summary
An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Severity ?
8.2 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.5.0 , < 4.8.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0805",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T14:23:52.162136Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T16:33:11.255Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThan": "4.8.0",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T06:04:15.330Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #650",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/650"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.8.0"
}
],
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-0805",
"datePublished": "2026-01-30T06:04:15.330Z",
"dateReserved": "2026-01-09T10:40:55.812Z",
"dateUpdated": "2026-02-02T16:33:11.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14701 (GCVE-0-2025-14701)
Vulnerability from nvd – Published: 2025-12-17 00:04 – Updated: 2025-12-17 21:20
VLAI?
Title
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller
Summary
An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
0 , < 4.6.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T21:20:31.643289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T21:20:58.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThan": "4.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T00:04:32.259Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #647",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/647"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.6.2"
}
],
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2025-14701",
"datePublished": "2025-12-17T00:04:32.259Z",
"dateReserved": "2025-12-14T14:55:30.519Z",
"dateUpdated": "2025-12-17T21:20:58.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14700 (GCVE-0-2025-14700)
Vulnerability from nvd – Published: 2025-12-17 00:04 – Updated: 2025-12-17 21:25
VLAI?
Title
Improper Neutralization of Special Elements Used in a Template Engine in Crafty Controller
Summary
An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.
Severity ?
9.9 (Critical)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.6.1
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T21:24:39.127580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T21:25:02.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"status": "affected",
"version": "4.6.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T00:04:37.049Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #646",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/646"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.6.2"
}
],
"title": "Improper Neutralization of Special Elements Used in a Template Engine in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2025-14700",
"datePublished": "2025-12-17T00:04:37.049Z",
"dateReserved": "2025-12-14T14:48:04.696Z",
"dateUpdated": "2025-12-17T21:25:02.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5990 (GCVE-0-2025-5990)
Vulnerability from nvd – Published: 2025-06-15 18:01 – Updated: 2025-06-16 13:48
VLAI?
Title
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller
Summary
An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input.
Severity ?
7.6 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.2.2 , ≤ 4.2.3
(semver)
Affected: 4.3.0 , ≤ 4.3.2 (semver) Affected: 4.4.0 , < 4.4.10 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-16T13:48:12.494095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T13:48:53.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThanOrEqual": "4.2.3",
"status": "affected",
"version": "4.2.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.3.2",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThan": "4.4.10",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Kacper Leszczy\u0144ski / szotgan](https://gitlab.com/szotgan) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-15T18:01:09.667Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #567",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/567"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.4.10"
}
],
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2025-5990",
"datePublished": "2025-06-15T18:01:09.667Z",
"dateReserved": "2025-06-11T06:02:33.232Z",
"dateUpdated": "2025-06-16T13:48:53.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1064 (GCVE-0-2024-1064)
Vulnerability from nvd – Published: 2024-02-03 09:02 – Updated: 2024-08-29 15:04
VLAI?
Title
Improper Neutralization of HTTP Headers for Scripting Syntax in Crafty Controller 4
Summary
A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header
Severity ?
7.5 (High)
CWE
- CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.0.0 , ≤ 4.2.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1064",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-06T17:03:37.645654Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:34.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:26:30.489Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GitLab Issue #327",
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/327"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThanOrEqual": "4.2.2",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks to [ebartz1](https://gitlab.com/ebartz1) on GitLab for initially reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-644",
"description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:04:54.738Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #327",
"tags": [
"issue-tracking"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/327"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Crafty Controller 4.2.3 or higher OR block requests to the Crafty Controller HTTP port"
}
],
"title": "Improper Neutralization of HTTP Headers for Scripting Syntax in Crafty Controller 4"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2024-1064",
"datePublished": "2024-02-03T09:02:20.539Z",
"dateReserved": "2024-01-30T09:30:40.948Z",
"dateUpdated": "2024-08-29T15:04:54.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-0805 (GCVE-0-2026-0805)
Vulnerability from cvelistv5 – Published: 2026-01-30 06:04 – Updated: 2026-02-02 16:33
VLAI?
Title
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
Summary
An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Severity ?
8.2 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.5.0 , < 4.8.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0805",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T14:23:52.162136Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T16:33:11.255Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThan": "4.8.0",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T06:04:15.330Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #650",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/650"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.8.0"
}
],
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-0805",
"datePublished": "2026-01-30T06:04:15.330Z",
"dateReserved": "2026-01-09T10:40:55.812Z",
"dateUpdated": "2026-02-02T16:33:11.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0963 (GCVE-0-2026-0963)
Vulnerability from cvelistv5 – Published: 2026-01-30 06:04 – Updated: 2026-02-02 16:33
VLAI?
Title
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
Summary
An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Severity ?
9.9 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.7.0 , < 4.8.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T14:24:06.892805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T16:33:26.381Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThan": "4.8.0",
"status": "affected",
"version": "4.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T06:04:05.503Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #660",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/660"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.8.0"
}
],
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-0963",
"datePublished": "2026-01-30T06:04:05.503Z",
"dateReserved": "2026-01-14T20:14:16.821Z",
"dateUpdated": "2026-02-02T16:33:26.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14700 (GCVE-0-2025-14700)
Vulnerability from cvelistv5 – Published: 2025-12-17 00:04 – Updated: 2025-12-17 21:25
VLAI?
Title
Improper Neutralization of Special Elements Used in a Template Engine in Crafty Controller
Summary
An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.
Severity ?
9.9 (Critical)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.6.1
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T21:24:39.127580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T21:25:02.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"status": "affected",
"version": "4.6.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T00:04:37.049Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #646",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/646"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.6.2"
}
],
"title": "Improper Neutralization of Special Elements Used in a Template Engine in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2025-14700",
"datePublished": "2025-12-17T00:04:37.049Z",
"dateReserved": "2025-12-14T14:48:04.696Z",
"dateUpdated": "2025-12-17T21:25:02.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14701 (GCVE-0-2025-14701)
Vulnerability from cvelistv5 – Published: 2025-12-17 00:04 – Updated: 2025-12-17 21:20
VLAI?
Title
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller
Summary
An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
0 , < 4.6.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T21:20:31.643289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T21:20:58.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThan": "4.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T00:04:32.259Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #647",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/647"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.6.2"
}
],
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2025-14701",
"datePublished": "2025-12-17T00:04:32.259Z",
"dateReserved": "2025-12-14T14:55:30.519Z",
"dateUpdated": "2025-12-17T21:20:58.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5990 (GCVE-0-2025-5990)
Vulnerability from cvelistv5 – Published: 2025-06-15 18:01 – Updated: 2025-06-16 13:48
VLAI?
Title
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller
Summary
An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input.
Severity ?
7.6 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.2.2 , ≤ 4.2.3
(semver)
Affected: 4.3.0 , ≤ 4.3.2 (semver) Affected: 4.4.0 , < 4.4.10 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-16T13:48:12.494095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T13:48:53.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThanOrEqual": "4.2.3",
"status": "affected",
"version": "4.2.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.3.2",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThan": "4.4.10",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Kacper Leszczy\u0144ski / szotgan](https://gitlab.com/szotgan) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-15T18:01:09.667Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #567",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/567"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.4.10"
}
],
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2025-5990",
"datePublished": "2025-06-15T18:01:09.667Z",
"dateReserved": "2025-06-11T06:02:33.232Z",
"dateUpdated": "2025-06-16T13:48:53.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1064 (GCVE-0-2024-1064)
Vulnerability from cvelistv5 – Published: 2024-02-03 09:02 – Updated: 2024-08-29 15:04
VLAI?
Title
Improper Neutralization of HTTP Headers for Scripting Syntax in Crafty Controller 4
Summary
A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header
Severity ?
7.5 (High)
CWE
- CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.0.0 , ≤ 4.2.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1064",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-06T17:03:37.645654Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:34.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:26:30.489Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GitLab Issue #327",
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/327"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThanOrEqual": "4.2.2",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks to [ebartz1](https://gitlab.com/ebartz1) on GitLab for initially reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-644",
"description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:04:54.738Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #327",
"tags": [
"issue-tracking"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/327"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Crafty Controller 4.2.3 or higher OR block requests to the Crafty Controller HTTP port"
}
],
"title": "Improper Neutralization of HTTP Headers for Scripting Syntax in Crafty Controller 4"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2024-1064",
"datePublished": "2024-02-03T09:02:20.539Z",
"dateReserved": "2024-01-30T09:30:40.948Z",
"dateUpdated": "2024-08-29T15:04:54.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}