Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03MmhnLTV3cjUtcm1mY84AA3C3

Statamic CMS remote code execution via front-end form uploads

Impact

On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just any arbitrary form. This does not affect the control panel.

Patches

It has been patched in 3.4.13 and 4.33.0.

Permalink: https://github.com/advisories/GHSA-72hg-5wr5-rmfc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03MmhnLTV3cjUtcm1mY84AA3C3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago

CVSS Score: 8.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Identifiers: GHSA-72hg-5wr5-rmfc, CVE-2023-47129
References:

Repository: https://github.com/statamic/cms
Blast Radius: 21.7

Affected Packages

packagist:statamic/cms

Dependent packages: 377
Dependent repositories: 388
Downloads: 1,868,698 total
Affected Version Ranges: < 3.4.13, >= 4.0.0, < 4.33.0
Fixed in: 3.4.13, 4.33.0
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.0.21, 3.0.22, 3.0.23, 3.0.24, 3.0.25, 3.0.26, 3.0.27, 3.0.28, 3.0.29, 3.0.30, 3.0.31, 3.0.32, 3.0.33, 3.0.34, 3.0.35, 3.0.36, 3.0.37, 3.0.38, 3.0.39, 3.0.40, 3.0.41, 3.0.42, 3.0.43, 3.0.44, 3.0.45, 3.0.46, 3.0.47, 3.0.48, 3.0.49, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.21, 3.1.22, 3.1.23, 3.1.24, 3.1.25, 3.1.26, 3.1.27, 3.1.28, 3.1.29, 3.1.30, 3.1.31, 3.1.32, 3.1.33, 3.1.34, 3.1.35, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.2.15, 3.2.16, 3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.23, 3.2.24, 3.2.25, 3.2.26, 3.2.27, 3.2.28, 3.2.29, 3.2.30, 3.2.31, 3.2.32, 3.2.33, 3.2.34, 3.2.35, 3.2.36, 3.2.37, 3.2.38, 3.2.39, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13, 3.3.14, 3.3.15, 3.3.16, 3.3.17, 3.3.18, 3.3.19, 3.3.20, 3.3.21, 3.3.22, 3.3.23, 3.3.24, 3.3.25, 3.3.26, 3.3.27, 3.3.28, 3.3.29, 3.3.30, 3.3.31, 3.3.32, 3.3.33, 3.3.34, 3.3.35, 3.3.36, 3.3.37, 3.3.38, 3.3.39, 3.3.40, 3.3.41, 3.3.42, 3.3.43, 3.3.44, 3.3.45, 3.3.46, 3.3.47, 3.3.48, 3.3.49, 3.3.50, 3.3.51, 3.3.52, 3.3.53, 3.3.54, 3.3.55, 3.3.56, 3.3.57, 3.3.58, 3.3.59, 3.3.60, 3.3.61, 3.3.62, 3.3.63, 3.3.64, 3.3.65, 3.3.66, 3.3.67, 3.3.68, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.4.10, 3.4.11, 3.4.12, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.9.1, 4.9.2, 4.10.0, 4.10.1, 4.10.2, 4.11.0, 4.12.0, 4.13.0, 4.13.1, 4.13.2, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.23.1, 4.23.2, 4.24.0, 4.25.0, 4.26.0, 4.26.1, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.32.0
All unaffected versions: 3.4.13, 3.4.14, 3.4.15, 3.4.16, 3.4.17, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.42.1, 4.43.0, 4.44.0, 4.45.0, 4.46.0, 4.47.0, 4.48.0, 4.49.0, 4.50.0, 4.51.0, 4.52.0, 4.53.0, 4.53.1, 4.53.2, 4.54.0, 4.55.0, 4.56.0, 4.56.1, 4.57.0, 4.57.1, 4.57.2, 4.57.3, 4.58.0, 4.58.1, 4.58.2, 4.58.3, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.6.0, 5.6.1, 5.6.2, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.14.0, 5.15.0, 5.16.0, 5.17.0, 5.17.1, 5.18.0, 5.19.0, 5.20.0, 5.21.0, 5.22.0, 5.22.1, 5.23.0, 5.24.0, 5.25.0, 5.26.0, 5.27.0, 5.28.0, 5.29.0, 5.30.0, 5.31.0, 5.32.0, 5.33.0, 5.33.1, 5.34.0, 5.35.0, 5.36.0, 5.37.0, 5.38.0, 5.38.1, 5.39.0