CVE-2018-20465

Name: CVE-2018-20465
Creator: NVD / NIST
Published: 2018-12-25T23:29:00.34+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 1.06%

Last modified Jun 17, 2026

CVE-2018-20465 is a vulnerability of currently unknown severity. Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field.. EPSS estimates a 1.06% chance of exploitation in the next 30 days.

Description

Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field.

Metrics

EPSS Probability

1.06%

60.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-311

Affected Software

Vendor	Product	Versions
Craftcms	Craft Cms	<= 3.0.34

References

https://github.com/craftcms/cms/blob/master/CHANGELOG-v3.mdRelease Notes
https://github.com/phuctam/Server-Side-Template-Injection-in-CraftCMS-/issues/1Exploit, Third Party Advisory
https://github.com/craftcms/cms/blob/master/CHANGELOG-v3.mdRelease Notes
https://github.com/phuctam/Server-Side-Template-Injection-in-CraftCMS-/issues/1Exploit, Third Party Advisory

Timeline

Published: Dec 25, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-20465?

How severe is CVE-2018-20465?

Severity scoring for CVE-2018-20465 is pending analysis. The EPSS model estimates a 1.06% probability of exploitation in the next 30 days.

How do I fix CVE-2018-20465?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-20465?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST