CVE-2024-52600
published 2024-11-19CVE-2024-52600: Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.56%
42.4th percentile
Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets` fields and other places where assets can be uploaded, although users would need upload permissions anyway. Files can be uploaded so they would be located on the server in a different location, and potentially override existing files. Traversal outside an asset container is not possible. This path traversal vulnerability has been fixed in 5.17.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| statamic | cms | < 5.17.0 | 5.17.0 |
| statamic | cms | >= 0 < 5.17.0 | 5.17.0 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
osv7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Statamic CMS has a Path Traversal in Asset Upload
osv·2024-11-19
CVE-2024-52600 [MEDIUM] Statamic CMS has a Path Traversal in Asset Upload
Statamic CMS has a Path Traversal in Asset Upload
Assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured.
### Impact
- Affects front-end forms with `assets` fields.
- Affects other places where assets can be uploaded, although users would need upload permissions anyway.
- Files can be uploaded so they would be located on the server in a different location, and potentially override existing files.
- Traversal _outside_ an asset container was not possible.
### Patches
This has been fixed in 5.17.0.
GHSA
Statamic CMS has a Path Traversal in Asset Upload
ghsa·2024-11-19
CVE-2024-52600 [MEDIUM] CWE-22 Statamic CMS has a Path Traversal in Asset Upload
Statamic CMS has a Path Traversal in Asset Upload
Assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured.
### Impact
- Affects front-end forms with `assets` fields.
- Affects other places where assets can be uploaded, although users would need upload permissions anyway.
- Files can be uploaded so they would be located on the server in a different location, and potentially override existing files.
- Traversal _outside_ an asset container was not possible.
### Patches
This has been fixed in 5.17.0.
OSV
linux-azure-6.5 vulnerabilities
osv·2024-04-24·CVSS 7.8
CVE-2023-52600 linux-azure-6.5 vulnerabilities
linux-azure-6.5 vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- JFS file system;
- BPF subsystem;
- Netfilter;
(CVE-2023-52600, CVE-2024-26589, CVE-2024-26591, CVE-2024-26581,
CVE-2023-52603)
OSV
linux-azure, linux-lowlatency, linux-nvidia vulnerabilities
osv·2024-04-23·CVSS 6.8
CVE-2023-24023 linux-azure, linux-lowlatency, linux-nvidia vulnerabilities
linux-azure, linux-lowlatency, linux-nvidia vulnerabilities
Daniele Antonioli discovered that the Secure Simple Pairing and Secure
Connections pairing in the Bluetooth protocol could allow an
unauthenticated user to complete authentication without pairing
credentials. A physically proximate attacker placed between two Bluetooth
devices could use this to subsequently impersonate one of the paired
devices. (CVE-2023-24023)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- JFS file system;
- Netfilter;
(CVE-2024-26581, CVE-2023-52600, CVE-2023-52603)
OSV
linux-lowlatency-hwe-6.5 vulnerabilities
osv·2024-04-22·CVSS 7.8
CVE-2023-52600 linux-lowlatency-hwe-6.5 vulnerabilities
linux-lowlatency-hwe-6.5 vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- JFS file system;
- BPF subsystem;
- Netfilter;
(CVE-2023-52600, CVE-2024-26589, CVE-2024-26591, CVE-2024-26581,
CVE-2023-52603)
OSV
linux, linux-aws, linux-aws-6.5, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-nvidia-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, lin
osv·2024-04-19·CVSS 7.8
CVE-2023-52600 linux, linux-aws, linux-aws-6.5, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-nvidia-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, lin
linux, linux-aws, linux-aws-6.5, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-nvidia-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5 vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- JFS file system;
- BPF subsystem;
- Netfilter;
(CVE-2023-52600, CVE-2024-26589, CVE-2024-26591, CVE-2024-26581,
CVE-2023-52603)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388dhttps://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346dahttps://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380dhttps://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3
2024-11-19
Published