CVE-2024-52293Path Traversal in Craft CMS

CWE-22Path TraversalCWE-1336Improper Neutralization of Special Elements Used in a Template EngineCWE-94Code Injection6 documents4 sources
Severity
7.2HIGHNVD
NVD6.1
EPSS
22.0%
top 4.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms Craft CMSCraftcms CMS
Timeline
PublishedNov 13
Latest updateAug 25

Description

Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

Packagistcraftcms/cms4.0.0-RC14.12.2+1
NVDcraftcms/craft_cms4.1.04.16.6+5
CVEListV5craftcms/cms6 versions+5

Patches

Patch: github.com

🔴Vulnerability Details

4
CVEList
Craft Potential Remote Code Execution via Twig SSTI2025-08-25
OSV
Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI2024-11-13
CVEList
Craft has a Potential Remote Code Execution via missing path normalization & Twig SSTI2024-11-13
GHSA
Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI2024-11-13
CVE-2024-52293 — Path Traversal in Craftcms Craft CMS | cvebase