Advisories for Composer/Bolt/Core package

2022

Improper Control of Generation of Code ('Code Injection')

Bolt CMS <= 4.2 is vulnerable to Remote Code Execution. Unsafe theme rendering allows an authenticated attacker to edit theme to inject server-side template injection that leads to remote code execution.

2021

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal.