CVE-2020-9322

Published: Aug 8, 2025

Modified: Aug 8, 2025

PUBLISHED

Description

The /users endpoint in Statamic Core before 2.11.8 allows XSS to add an administrator user. This can be exploited via CSRF. Stored XSS can occur via a JavaScript payload in a username during account registration. Reflected XSS can occur via the /users PATH_INFO.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://statamic.com/changelog#2.11.18

https://gist.github.com/kernelsndrs/86b78e869d481566223914ec7d4fc881

https://web.archive.org/web/20200304174034/www.statamic.com/changelog#2.11.18

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-9322

Description

Affected Products

References