Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-41892 — Code Injection in Craft CMS

CWE-94 — Code Injection14 documents11 sources

Severity

10.0CRITICALNVD

NVD9.8

EPSS

93.9%

top 0.12%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Craftcms Craft CMS Craftcms CMS

Timeline

PublishedSep 13

Latest updateApr 25

Description

Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Packagistcraftcms/cms4.0.0-RC1 — 4.4.15

▶NVDcraftcms/craft_cms3.0.0 — 3.9.15+3

▶CVEListV5craftcms/cms4 versions+3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Craft CMS Allows Remote Code Execution↗2025-04-25

▶

CVEList

Craft CMS Remote Code Execution vulnerability↗2023-09-13

▶

OSV

Craft CMS Remote Code Execution vulnerability↗2023-09-13

▶

GHSA

Craft CMS Remote Code Execution vulnerability↗2023-09-13

▶

VulnCheck

craftcms Craft CMS Improper Control of Generation of Code ('Code Injection')↗2023

▶

💥Exploits & PoCs

Exploit-DB

Craft CMS 4.4.14 - Unauthenticated Remote Code Execution↗2024-03-25

▶

Nuclei

CraftCMS - Remote Code Execution

▶

Nuclei

CraftCMS < 4.4.15 - Unauthenticated Remote Code Execution

▶

Metasploit

Craft CMS unauthenticated Remote Code Execution (RCE)↗

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS CraftCMS Remote Code Execution via ConditionsController Object Creation (CVE-2023-41892)↗2024-10-02

▶

🕵️Threat Intelligence

Greynoiseio

NoiseLetter August 2024↗

▶

📄Research Papers

CTF

medium / README↗

▶