CVE-2024-52293

Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*

History

19 Nov 2024, 17:51

Type Values Removed Values Added
References () https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58 - () https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58 - Patch
References () https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv - () https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv - Exploit, Vendor Advisory
First Time Craftcms
Craftcms craft Cms
CPE cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Summary
  • (es) Craft es un sistema de gestión de contenido (CMS). Antes de las versiones 4.12.2 y 5.4.3, Craft no tenía normalizePath en la función FileHelper::absolutePath, lo que podía provocar la ejecución remota de código en el servidor a través de twig SSTI. Esta es una secuela de CVE-2023-40035. Esta vulnerabilidad se ha corregido en las versiones 4.12.2 y 5.4.3.

13 Nov 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-13 16:15

Updated : 2024-11-19 17:51


NVD link : CVE-2024-52293

Mitre link : CVE-2024-52293

CVE.ORG link : CVE-2024-52293


JSON object : View

Products Affected

craftcms

  • craft_cms
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')