Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03MmhnLTV3cjUtcm1mY84AA3C3
Statamic CMS remote code execution via front-end form uploads
Impact
On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just any arbitrary form. This does not affect the control panel.
Patches
It has been patched in 3.4.13 and 4.33.0.
Permalink: https://github.com/advisories/GHSA-72hg-5wr5-rmfcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03MmhnLTV3cjUtcm1mY84AA3C3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 16 days ago
Updated: 16 days ago
CVSS Score: 8.3
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-72hg-5wr5-rmfc, CVE-2023-47129
References:
- https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc
- https://nvd.nist.gov/vuln/detail/CVE-2023-47129
- https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75
- https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77
- https://github.com/advisories/GHSA-72hg-5wr5-rmfc
Affected Packages
packagist:statamic/cms
Versions: < 3.4.13, >= 4.0.0, < 4.33.0Fixed in: 3.4.13, 4.33.0