Croogo CMS has a path traversal vulnerability
A path traversal vulnerability in Croogo CMS 4.0.7 allows remote attackers to read arbitrary files via a specially crafted path in the 'edit-file' parameter.
Advisories for Composer/Croogo/Croogo package
2025
croogo Host header injection
An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component.
2022
Unrestricted Upload of File with Dangerous Type
A Remote Code Execution (RCE) vulnerability exists in Croogo 3.0.2via admin/file-manager/attachments, which lets a malicoius user upload a web shell script.
2020
Cross-site Scripting
Croogo allows XSS via the title to admin/menus/menus or admin/taxonomy/vocabularies.
2019
Cross-site Scripting
A stored-self XSS exists in Croogo allowing an attacker to execute HTML or JavaScript code in a vulnerable Blog field to /admin/nodes/nodes/add/blog.
Cross-site Scripting
A stored-self XSS exists in Croogo allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/blocks/blocks/edit/8.
Cross-site Scripting
A stored-self XSS exists in Croogo allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/file-manager/attachments/edit/4.
Cross-site Scripting
A stored-self XSS exists in Croogo allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/taxonomy/vocabularies.
Cross-site Scripting
A stored-self XSS exists in Croogo allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/menus/menus/edit/3.
2018
Cross-site Scripting
Croogo contains a Cross Site Scripting (XSS) vulnerability in Page name that can result in execution of javascript code.