CVE-2023-32679 (GCVE-0-2023-32679)
Vulnerability from cvelistv5 – Published: 2023-05-19 19:40 – Updated: 2025-02-12 16:37
VLAI?
Summary
Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
7.2 (High)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.659Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32679",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T17:06:00.564677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:37:52.522Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string(\u0027\u0027) in the View.php\u0027s doesTemplateExist() -\u003e resolveTemplate() -\u003e _resolveTemplateInternal() -\u003e _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-19T19:40:14.858Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c"
}
],
"source": {
"advisory": "GHSA-vqxf-r9ph-cc9c",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution via unrestricted file extension in Craft CMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32679",
"datePublished": "2023-05-19T19:40:14.858Z",
"dateReserved": "2023-05-11T16:33:45.731Z",
"dateUpdated": "2025-02-12T16:37:52.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.0.0\", \"versionEndExcluding\": \"4.4.6\", \"matchCriteriaId\": \"9A4ADBBC-7393-491B-BC44-81DD6CABD2A9\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string(\u0027\u0027) in the View.php\u0027s doesTemplateExist() -\u003e resolveTemplate() -\u003e _resolveTemplateInternal() -\u003e _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}]",
"id": "CVE-2023-32679",
"lastModified": "2024-11-21T08:03:50.137",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}]}",
"published": "2023-05-19T20:15:09.310",
"references": "[{\"url\": \"https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-74\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-32679\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-05-19T20:15:09.310\",\"lastModified\":\"2024-11-21T08:03:50.137\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string(\u0027\u0027) in the View.php\u0027s doesTemplateExist() -\u003e resolveTemplate() -\u003e _resolveTemplateInternal() -\u003e _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.4.6\",\"matchCriteriaId\":\"9A4ADBBC-7393-491B-BC44-81DD6CABD2A9\"}]}]}],\"references\":[{\"url\":\"https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c\", \"name\": \"https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T15:25:36.659Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-32679\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-21T17:06:00.564677Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T16:37:42.533Z\"}}], \"cna\": {\"title\": \"Remote Code Execution via unrestricted file extension in Craft CMS\", \"source\": {\"advisory\": \"GHSA-vqxf-r9ph-cc9c\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"craftcms\", \"product\": \"cms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 4.4.6\"}]}], \"references\": [{\"url\": \"https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c\", \"name\": \"https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string(\u0027\u0027) in the View.php\u0027s doesTemplateExist() -\u003e resolveTemplate() -\u003e _resolveTemplateInternal() -\u003e _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-74\", \"description\": \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-05-19T19:40:14.858Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-32679\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-12T16:37:52.522Z\", \"dateReserved\": \"2023-05-11T16:33:45.731Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-05-19T19:40:14.858Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GSD-2023-32679
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-32679",
"id": "GSD-2023-32679"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-32679"
],
"details": "Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string(\u0027\u0027) in the View.php\u0027s doesTemplateExist() -\u003e resolveTemplate() -\u003e _resolveTemplateInternal() -\u003e _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"id": "GSD-2023-32679",
"modified": "2023-12-13T01:20:23.795851Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-32679",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cms",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003e= 4.0.0, \u003c 4.4.6"
}
]
}
}
]
},
"vendor_name": "craftcms"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string(\u0027\u0027) in the View.php\u0027s doesTemplateExist() -\u003e resolveTemplate() -\u003e _resolveTemplateInternal() -\u003e _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-74",
"lang": "eng",
"value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c",
"refsource": "MISC",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c"
}
]
},
"source": {
"advisory": "GHSA-vqxf-r9ph-cc9c",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=4.0.0,\u003c4.4.6",
"affected_versions": "All versions starting from 4.0.0 before 4.4.6",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-74",
"CWE-937"
],
"date": "2023-05-26",
"description": "Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string(\u0027\u0027) in the View.php\u0027s doesTemplateExist() -\u003e resolveTemplate() -\u003e _resolveTemplateInternal() -\u003e _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"fixed_versions": [
"4.4.6"
],
"identifier": "CVE-2023-32679",
"identifiers": [
"CVE-2023-32679",
"GHSA-vqxf-r9ph-cc9c"
],
"not_impacted": "All versions before 4.0.0, all versions starting from 4.4.6",
"package_slug": "packagist/craftcms/cms",
"pubdate": "2023-05-19",
"solution": "Upgrade to version 4.4.6 or above.",
"title": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"urls": [
"https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c",
"https://nvd.nist.gov/vuln/detail/CVE-2023-32679",
"https://github.com/craftcms/cms/releases/tag/4.4.6",
"https://github.com/advisories/GHSA-vqxf-r9ph-cc9c"
],
"uuid": "b661e2a9-32cc-4618-88d6-4a9ddddf37bb"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.4.6",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-32679"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string(\u0027\u0027) in the View.php\u0027s doesTemplateExist() -\u003e resolveTemplate() -\u003e _resolveTemplateInternal() -\u003e _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c",
"refsource": "MISC",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-05-26T17:33Z",
"publishedDate": "2023-05-19T20:15Z"
}
}
}
GHSA-VQXF-R9PH-CC9C
Vulnerability from github – Published: 2023-05-22 20:36 – Updated: 2023-05-22 20:36
VLAI?
Summary
Craft CMS vulnerable to Remote Code Execution via unrestricted file extension
Details
Summary
Unrestricted file extension lead to a potential Remote Code Execution (Authenticated, ALLOW_ADMIN_CHANGES=true)
Details
Vulnerability Cause :
If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates (even if they are not extensions set in defaultTemplateExtensions = ['html', 'twig'])
/**
* Searches for a template files, and returns the first match if there is one.
*
* @param string $basePath The base path to be looking in.
* @param string $name The name of the template to be looking for.
* @param bool $publicOnly Whether to only look for public templates (template paths that don’t start with the private template trigger).
* @return string|null The matching file path, or `null`.
*/
private function _resolveTemplate(string $basePath, string $name, bool $publicOnly): ?string
{
// Normalize the path and name
$basePath = FileHelper::normalizePath($basePath);
$name = trim(FileHelper::normalizePath($name), '/');
// $name could be an empty string (e.g. to load the homepage template)
if ($name !== '') {
if ($publicOnly && preg_match(sprintf('/(^|\/)%s/', preg_quote($this->_privateTemplateTrigger, '/')), $name)) {
return null;
}
// Maybe $name is already the full file path
$testPath = $basePath . DIRECTORY_SEPARATOR . $name;
if (is_file($testPath)) {
return $testPath;
}
foreach ($this->_defaultTemplateExtensions as $extension) {
$testPath = $basePath . DIRECTORY_SEPARATOR . $name . '.' . $extension;
if (is_file($testPath)) {
return $testPath;
}
}
}
foreach ($this->_indexTemplateFilenames as $filename) {
foreach ($this->_defaultTemplateExtensions as $extension) {
$testPath = $basePath . ($name !== '' ? DIRECTORY_SEPARATOR . $name : '') . DIRECTORY_SEPARATOR . $filename . '.' . $extension;
if (is_file($testPath)) {
return $testPath;
}
}
}
return null;
}
When attacker with admin privileges on the DEV or Misconfigured STG, PROD, they can exploit this vulnerability to remote code execution (ALLOW_ADMIN_CHANGES=true)
PoC
Step 1) Create a new filesystem. Base Path: /var/www/html/templates
Step 2) Create a new asset volume. Asset Filesystem: template
Step 3) Upload poc file( .txt , .js , .json , etc ) with twig template rce payload
{{'<pre>'}}
{{1337*1337}}
{{['cat /etc/passwd']|map('passthru')|join}}
{{['id;pwd;ls -altr /']|map('passthru')|join}}
Step 4) Create a new global set with template layout. The template filename is poc.js
Step 5) When access global menu or /admin/global/test, poc.js is rendered as a template file and RCE confirmed
Step 6) RCE can be confirmed on other menus(Entries, Categories) where the template file is loaded.
Poc Environment) ALLOW_ADMIN_CHANGES=true, defaultTemplateExtensions=['html','twig']
Impact
Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.
Additionally, there are 371 domains using CraftCMS exposed on Shodan, and among them, 33 servers have "stage" or "dev" included in their hostnames.
although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)
Remediation
Recommend taking measures by referring to https://github.com/craftcms/cms-ghsa-9f84-5wpf-3vcf/pull/1
// Maybe $name is already the full file path
$testPath = $basePath . DIRECTORY_SEPARATOR . $name;
if (is_file($testPath)) {
// Remedation: Verify template file extension, before return
$fileExt = pathinfo($testPath, PATHINFO_EXTENSION);
$isDisallowed = false;
if (isset($fileExt)) {
$isDisallowed = !in_array($fileExt, $this->_defaultTemplateExtensions);
if($isDisallowed) {
return null;
} else {
return $testPath;
}
}
}
Severity ?
7.2 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.4.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32679"
],
"database_specific": {
"cwe_ids": [
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-22T20:36:06Z",
"nvd_published_at": "2023-05-19T20:15:09Z",
"severity": "HIGH"
},
"details": "### Summary\nUnrestricted file extension lead to a potential Remote Code Execution\n(Authenticated, ALLOW_ADMIN_CHANGES=true)\n\n### Details\n#### Vulnerability Cause : \nIf the name parameter value is not empty string(\u0027\u0027) in the View.php\u0027s doesTemplateExist() -\u003e resolveTemplate() -\u003e _resolveTemplateInternal() -\u003e _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates (even if they are not extensions set in defaultTemplateExtensions = [\u0027html\u0027, \u0027twig\u0027])\n```php\n /**\n * Searches for a template files, and returns the first match if there is one.\n *\n * @param string $basePath The base path to be looking in.\n * @param string $name The name of the template to be looking for.\n * @param bool $publicOnly Whether to only look for public templates (template paths that don\u2019t start with the private template trigger).\n * @return string|null The matching file path, or `null`.\n */\n private function _resolveTemplate(string $basePath, string $name, bool $publicOnly): ?string\n {\n // Normalize the path and name\n $basePath = FileHelper::normalizePath($basePath);\n $name = trim(FileHelper::normalizePath($name), \u0027/\u0027);\n\n // $name could be an empty string (e.g. to load the homepage template)\n if ($name !== \u0027\u0027) {\n if ($publicOnly \u0026\u0026 preg_match(sprintf(\u0027/(^|\\/)%s/\u0027, preg_quote($this-\u003e_privateTemplateTrigger, \u0027/\u0027)), $name)) {\n return null;\n }\n\n // Maybe $name is already the full file path\n $testPath = $basePath . DIRECTORY_SEPARATOR . $name;\n\n if (is_file($testPath)) {\n return $testPath;\n }\n\n foreach ($this-\u003e_defaultTemplateExtensions as $extension) {\n $testPath = $basePath . DIRECTORY_SEPARATOR . $name . \u0027.\u0027 . $extension;\n\n if (is_file($testPath)) {\n return $testPath;\n }\n }\n }\n\n foreach ($this-\u003e_indexTemplateFilenames as $filename) {\n foreach ($this-\u003e_defaultTemplateExtensions as $extension) {\n $testPath = $basePath . ($name !== \u0027\u0027 ? DIRECTORY_SEPARATOR . $name : \u0027\u0027) . DIRECTORY_SEPARATOR . $filename . \u0027.\u0027 . $extension;\n\n if (is_file($testPath)) {\n return $testPath;\n }\n }\n }\n\n return null;\n }\n```\n\nWhen attacker with admin privileges on the DEV or Misconfigured STG, PROD, they can exploit this vulnerability to remote code execution **(ALLOW_ADMIN_CHANGES=true)**\n\n\n### PoC\n**Step 1)** Create a new filesystem. **Base Path: /var/www/html/templates**\n\n\n**Step 2)** Create a new asset volume. **Asset Filesystem: template**\n\n\n**Step 3)** Upload poc file( .txt , .js , .json , etc ) with twig template rce payload\n```twig\n{{\u0027\u003cpre\u003e\u0027}}\n{{1337*1337}}\n{{[\u0027cat /etc/passwd\u0027]|map(\u0027passthru\u0027)|join}}\n{{[\u0027id;pwd;ls -altr /\u0027]|map(\u0027passthru\u0027)|join}}\n```\n\n\n\n**Step 4)** Create a new global set with template layout. The template filename is poc.js\n\n\n**Step 5)** When access global menu or /admin/global/test, poc.js is rendered as a template file and RCE confirmed\n\n\n**Step 6)** RCE can be confirmed on other menus(Entries, Categories) where the template file is loaded.\n\n\n\n\n**Poc Environment)** ALLOW_ADMIN_CHANGES=true, defaultTemplateExtensions=[\u0027html\u0027,\u0027twig\u0027]\n\n\n\n\n### Impact\nTake control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.\n\nAdditionally, there are 371 domains using CraftCMS exposed on Shodan, and among them, 33 servers have \"stage\" or \"dev\" included in their hostnames. \n\nalthough the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)\n\n\n\n### Remediation\nRecommend taking measures by referring to https://github.com/craftcms/cms-ghsa-9f84-5wpf-3vcf/pull/1\n```php\n // Maybe $name is already the full file path\n $testPath = $basePath . DIRECTORY_SEPARATOR . $name;\n\n if (is_file($testPath)) {\n // Remedation: Verify template file extension, before return\n $fileExt = pathinfo($testPath, PATHINFO_EXTENSION);\n $isDisallowed = false;\n\n if (isset($fileExt)) {\n $isDisallowed = !in_array($fileExt, $this-\u003e_defaultTemplateExtensions);\n\n if($isDisallowed) {\n return null;\n } else {\n return $testPath;\n }\n }\n }\n```\n\n",
"id": "GHSA-vqxf-r9ph-cc9c",
"modified": "2023-05-22T20:36:06Z",
"published": "2023-05-22T20:36:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32679"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/releases/tag/4.4.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Craft CMS vulnerable to Remote Code Execution via unrestricted file extension "
}
FKIE_CVE-2023-32679
Vulnerability from fkie_nvd - Published: 2023-05-19 20:15 - Updated: 2024-11-21 08:03
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c | Exploit, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A4ADBBC-7393-491B-BC44-81DD6CABD2A9",
"versionEndExcluding": "4.4.6",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string(\u0027\u0027) in the View.php\u0027s doesTemplateExist() -\u003e resolveTemplate() -\u003e _resolveTemplateInternal() -\u003e _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"id": "CVE-2023-32679",
"lastModified": "2024-11-21T08:03:50.137",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-19T20:15:09.310",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…