CVE-2023-40035
published 2023-08-23CVE-2023-40035: Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution…
PriorityP347high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.91%
77.2th percentile
Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution). This issue has been patched in version 4.4.15 and version 3.8.15.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | >= 3.0.0 < 3.8.15 | 3.8.15 |
| craftcms | cms | >= 4.0.0-RC1 < 4.4.15 | 4.4.15 |
| craftcms | cms | >= 4.0.0-RC1 < 4.12.2 | 4.12.2 |
| craftcms | cms | >= 5.0.0-RC1 < 5.4.3 | 5.4.3 |
| craftcms | craft_cms | < 4.12.2 | 4.12.2 |
| craftcms | craft_cms | < 5.4.3 | 5.4.3 |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | >= 3.0.0 < 3.8.15 | 3.8.15 |
| craftcms | craft_cms | >= 4.0.0 < 4.4.15 | 4.4.15 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
ghsa7.2HIGH
osv7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
osv·2024-11-13·CVSS 7.2
CVE-2024-52293 [HIGH] Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
### Summary
Missing `normalizePath` in the function `FileHelper::absolutePath` could lead to Remote Code Execution on the server via twig SSTI.
`(Post-authentication, ALLOW_ADMIN_CHANGES=true)`
### Details
Note: This is a sequel to [CVE-2023-40035](https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw)
In [`src/helpers/FileHelper.php#L106-L137`](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/helpers/FileHelper.php#L106-L137), the function `absolutePath` returned `$from . $ds . $to` without path normalization:
```php
/**
* Returns an absolute path based on a source location or the current working directory.
*
* @param string $to The t
GHSA
Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
ghsa·2024-11-13·CVSS 7.2
CVE-2024-52293 [HIGH] CWE-22 Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
### Summary
Missing `normalizePath` in the function `FileHelper::absolutePath` could lead to Remote Code Execution on the server via twig SSTI.
`(Post-authentication, ALLOW_ADMIN_CHANGES=true)`
### Details
Note: This is a sequel to [CVE-2023-40035](https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw)
In [`src/helpers/FileHelper.php#L106-L137`](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/helpers/FileHelper.php#L106-L137), the function `absolutePath` returned `$from . $ds . $to` without path normalization:
```php
/**
* Returns an absolute path based on a source location or the current working directory.
*
* @param string $to The t
GHSA
Craft CMS vulnerable to Remote Code Execution via validatePath bypass
ghsa·2023-08-21
CVE-2023-40035 [HIGH] CWE-74 Craft CMS vulnerable to Remote Code Execution via validatePath bypass
Craft CMS vulnerable to Remote Code Execution via validatePath bypass
### Summary
Bypassing the validatePath function can lead to potential Remote Code Execution
(Post-authentication, ALLOW_ADMIN_CHANGES=true)
### Details
In bootstrap.php, the SystemPaths path is set as below.
```php
// Set the vendor path. By default assume that it's 4 levels up from here
$vendorPath = $findConfigPath('--vendorPath', 'CRAFT_VENDOR_PATH') ?? dirname(__DIR__, 3);
// Set the "project root" path that contains config/, storage/, etc. By default assume that it's up a level from vendor/.
$rootPath = $findConfigPath('--basePath', 'CRAFT_BASE_PATH') ?? dirname($vendorPath);
// By default the remaining directories will be in the base directory
$dotenvPath = $findConfigPath('--dotenvPath', 'CRAFT_DOTENV_PATH')
OSV
Craft CMS vulnerable to Remote Code Execution via validatePath bypass
osv·2023-08-21
CVE-2023-40035 [HIGH] Craft CMS vulnerable to Remote Code Execution via validatePath bypass
Craft CMS vulnerable to Remote Code Execution via validatePath bypass
### Summary
Bypassing the validatePath function can lead to potential Remote Code Execution
(Post-authentication, ALLOW_ADMIN_CHANGES=true)
### Details
In bootstrap.php, the SystemPaths path is set as below.
```php
// Set the vendor path. By default assume that it's 4 levels up from here
$vendorPath = $findConfigPath('--vendorPath', 'CRAFT_VENDOR_PATH') ?? dirname(__DIR__, 3);
// Set the "project root" path that contains config/, storage/, etc. By default assume that it's up a level from vendor/.
$rootPath = $findConfigPath('--basePath', 'CRAFT_BASE_PATH') ?? dirname($vendorPath);
// By default the remaining directories will be in the base directory
$dotenvPath = $findConfigPath('--dotenvPath', 'CRAFT_DOTENV_PATH')
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5https://github.com/craftcms/cms/releases/tag/3.8.15https://github.com/craftcms/cms/releases/tag/4.4.15https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phwhttps://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5https://github.com/craftcms/cms/releases/tag/3.8.15https://github.com/craftcms/cms/releases/tag/4.4.15https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw
2023-08-23
Published