croogo Host header injection
An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component.
Advisories for Composer/Croogo/Croogo package
2025
2022
Unrestricted Upload of File with Dangerous Type
A Remote Code Execution (RCE) vulnerability exists in Croogo 3.0.2via admin/file-manager/attachments, which lets a malicoius user upload a web shell script.
2020
Cross-site Scripting
Croogo allows XSS via the title to admin/menus/menus or admin/taxonomy/vocabularies.
2019
Cross-site Scripting
A stored-self XSS exists in Croogo allowing an attacker to execute HTML or JavaScript code in a vulnerable Blog field to /admin/nodes/nodes/add/blog.
Cross-site Scripting
A stored-self XSS exists in Croogo allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/blocks/blocks/edit/8.
Cross-site Scripting
A stored-self XSS exists in Croogo allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/file-manager/attachments/edit/4.
Cross-site Scripting
A stored-self XSS exists in Croogo allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/taxonomy/vocabularies.
Cross-site Scripting
A stored-self XSS exists in Croogo allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/menus/menus/edit/3.
2018
Cross-site Scripting
Croogo contains a Cross Site Scripting (XSS) vulnerability in Page name that can result in execution of javascript code.