Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycjUzLTkyOTUtM204Ns4AA3K4
Statamic CMS vulnerable to remote code execution via form uploads
Impact
Similar to another advisory, certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel.
Patches
It has been patched in 3.4.14 and 4.34.0.
Permalink: https://github.com/advisories/GHSA-2r53-9295-3m86JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycjUzLTkyOTUtM204Ns4AA3K4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 14 days ago
Updated: 6 days ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-2r53-9295-3m86, CVE-2023-48217
References:
- https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86
- https://github.com/statamic/cms/pull/8991
- https://github.com/statamic/cms/pull/8992
- https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411
- https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6
- https://github.com/statamic/cms/releases/tag/v3.4.14
- https://github.com/statamic/cms/releases/tag/v4.34.0
- https://nvd.nist.gov/vuln/detail/CVE-2023-48217
- https://github.com/advisories/GHSA-2r53-9295-3m86
Affected Packages
packagist:statamic/cms
Versions: < 3.4.14, >= 4.0.0, < 4.34.0Fixed in: 3.4.14, 4.34.0