CVE-2023-47129
HIGH8.3EPSS 6.0%Statamic CMS remote code execution via front-end form uploads
Published: 11/12/2023Modified: 2/16/2024
Also known as:GHSA-72hg-5wr5-rmfc
Description
### Impact On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. ### Patches It has been patched in 3.4.13 and 4.33.0.
Affected packages (1)
- Packagist/statamic/cms>= 4.0.0, < 4.33.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-47129
- PATCHhttps://github.com/statamic/cms
- WEBhttps://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75
- WEBhttps://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77
- WEBhttps://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc