CVE-2024-52293
published 2024-11-13CVE-2024-52293: Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to…
PriorityP346high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.31%
67.0th percentile
Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | >= 4.0.0-RC1 < 4.12.2 | 4.12.2 |
| craftcms | cms | >= 5.0.0-RC1 < 5.4.3 | 5.4.3 |
| craftcms | craft_cms | < 4.12.2 | 4.12.2 |
| craftcms | craft_cms | < 5.4.3 | 5.4.3 |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | >= 4.1.0 < 4.16.6 | 4.16.6 |
| craftcms | craft_cms | >= 5.1.0 < 5.8.7 | 5.8.7 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
ghsa7.2HIGH
osv7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
osv·2024-11-13·CVSS 7.2
CVE-2024-52293 [HIGH] Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
### Summary
Missing `normalizePath` in the function `FileHelper::absolutePath` could lead to Remote Code Execution on the server via twig SSTI.
`(Post-authentication, ALLOW_ADMIN_CHANGES=true)`
### Details
Note: This is a sequel to [CVE-2023-40035](https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw)
In [`src/helpers/FileHelper.php#L106-L137`](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/helpers/FileHelper.php#L106-L137), the function `absolutePath` returned `$from . $ds . $to` without path normalization:
```php
/**
* Returns an absolute path based on a source location or the current working directory.
*
* @param string $to The t
GHSA
Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
ghsa·2024-11-13·CVSS 7.2
CVE-2024-52293 [HIGH] CWE-22 Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
### Summary
Missing `normalizePath` in the function `FileHelper::absolutePath` could lead to Remote Code Execution on the server via twig SSTI.
`(Post-authentication, ALLOW_ADMIN_CHANGES=true)`
### Details
Note: This is a sequel to [CVE-2023-40035](https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw)
In [`src/helpers/FileHelper.php#L106-L137`](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/helpers/FileHelper.php#L106-L137), the function `absolutePath` returned `$from . $ds . $to` without path normalization:
```php
/**
* Returns an absolute path based on a source location or the current working directory.
*
* @param string $to The t
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-13
Published