cbcvebase.
CVE-2023-40035
published 2023-08-23

CVE-2023-40035: Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution…

PriorityP347high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.91%
77.2th percentile
Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution). This issue has been patched in version 4.4.15 and version 3.8.15.

Affected

14 ranges
VendorProductVersion rangeFixed in
craftcmscms
craftcmscms
craftcmscms
craftcmscms
craftcmscms>= 3.0.0 < 3.8.153.8.15
craftcmscms>= 4.0.0-RC1 < 4.4.154.4.15
craftcmscms>= 4.0.0-RC1 < 4.12.24.12.2
craftcmscms>= 5.0.0-RC1 < 5.4.35.4.3
craftcmscraft_cms< 4.12.24.12.2
craftcmscraft_cms< 5.4.35.4.3
craftcmscraft_cms
craftcmscraft_cms
craftcmscraft_cms>= 3.0.0 < 3.8.153.8.15
craftcmscraft_cms>= 4.0.0 < 4.4.154.4.15

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
ghsa7.2HIGH
osv7.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.