cbcvebase.
CVE-2024-52293
published 2024-11-13

CVE-2024-52293: Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to…

PriorityP346high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.31%
67.0th percentile
Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.

Affected

12 ranges
VendorProductVersion rangeFixed in
craftcmscms
craftcmscms
craftcmscms
craftcmscms
craftcmscms>= 4.0.0-RC1 < 4.12.24.12.2
craftcmscms>= 5.0.0-RC1 < 5.4.35.4.3
craftcmscraft_cms< 4.12.24.12.2
craftcmscraft_cms< 5.4.35.4.3
craftcmscraft_cms
craftcmscraft_cms
craftcmscraft_cms>= 4.1.0 < 4.16.64.16.6
craftcmscraft_cms>= 5.1.0 < 5.8.75.8.7

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
ghsa7.2HIGH
osv7.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.