2024-11-19
Platform: Craft CMS
Version: Prior to 4.12.2 and 5.4.3
Vulnerability: Remote Code Execution (RCE) via Twig Server-Side Template Injection (SSTI)
Severity: High
Date: November 13, 2024 (NVD Published Date)
:
A vulnerability exists in Craft CMS due to missing normalization in the FileHelper::absolutePath function. This vulnerability can be exploited by an attacker to achieve remote code execution on the server. This is a sequel to the previously identified CVE-2023-40035 vulnerability. Patches are available in Craft CMS versions 4.12.2 and 5.4.3.
What Undercode Says:
Craft CMS users running versions prior to 4.12.2 and 5.4.3 are advised to update their installations immediately to mitigate this critical RCE vulnerability.
Additional Notes:
The NVD entry mentions CVE-2024-52293 was identified and reported by GitHub.
This vulnerability details do not mention specific affected Craft CMS versions beyond “prior to”. It’s recommended to consult the official Craft CMS release notes for impacted versions.
Disclaimer: This information is for educational purposes only and should not be used for malicious activities.
References:
Reported By: Nvd.nist.gov
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help