Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.
References
Link | Resource |
---|---|
https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58 | Patch |
https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv | Exploit Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
19 Nov 2024, 17:51
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58 - Patch | |
References | () https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv - Exploit, Vendor Advisory | |
First Time |
Craftcms
Craftcms craft Cms |
|
CPE | cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:* |
|
Summary |
|
13 Nov 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-11-13 16:15
Updated : 2024-11-19 17:51
NVD link : CVE-2024-52293
Mitre link : CVE-2024-52293
CVE.ORG link : CVE-2024-52293
JSON object : View
Products Affected
craftcms
- craft_cms
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')