CVE-2023-47129
published 2023-11-10CVE-2023-47129: Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP…
PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.12%
62.1th percentile
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| statamic | cms | < 3.4.13 | 3.4.13 |
| statamic | cms | — | — |
| statamic | cms | >= 0 < 3.4.13 | 3.4.13 |
| statamic | cms | >= 4.0.0 < 4.33.0 | 4.33.0 |
| statamic | statamic | < 3.4.13 | 3.4.13 |
| statamic | statamic | >= 4.0.0 < 4.33.0 | 4.33.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Statamic CMS remote code execution via front-end form uploads
osv·2023-11-12
CVE-2023-47129 [HIGH] Statamic CMS remote code execution via front-end form uploads
Statamic CMS remote code execution via front-end form uploads
### Impact
On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel.
### Patches
It has been patched in 3.4.13 and 4.33.0.
GHSA
Statamic CMS remote code execution via front-end form uploads
ghsa·2023-11-12
CVE-2023-47129 [HIGH] CWE-434 Statamic CMS remote code execution via front-end form uploads
Statamic CMS remote code execution via front-end form uploads
### Impact
On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel.
### Patches
It has been patched in 3.4.13 and 4.33.0.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfchttps://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc
2023-11-10
Published