CVE-2023-47129
HIGH8.3EPSS 5.4%Statamic CMS remote code execution via front-end form uploads
發布日:2023/11/12修改日:2024/2/16
描述
### Impact On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. ### Patches It has been patched in 3.4.13 and 4.33.0.
受影響套件(1)
- Packagist/statamic/cms>= 4.0.0, < 4.33.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-47129
- PATCHhttps://github.com/statamic/cms
- WEBhttps://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75
- WEBhttps://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77
- WEBhttps://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc