CVE-2023-48701

2023-11-2123:15:08

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-48701

statamic cms

laravel

git

content management system

cms

html file upload

vulnerability

patch

nvd

security advisory

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H

0.001 Low

EPSS

Percentile

20.8%

JSON

Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the “Forms” feature containing an assets field, or within the control panel which requires authentication. This issue has been patched on 3.4.15 and 4.36.0.

Affected configurations

Vulners

NVD

Node

statamicstatamicRange<3.4.15

statamicstatamicRange4.0.0–4.36.0

VendorProductVersionCPE
statamicstatamic*cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
statamicstatamic*cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
statamic	statamic	*	cpe:2.3:a:statamic:statamic::::::::
statamic	statamic	*	cpe:2.3:a:statamic:statamic::::::::

CNA Affected

[
  {
    "vendor": "statamic",
    "product": "cms",
    "versions": [
      {
        "version": "< 3.4.15 ",
        "status": "affected"
      },
      {
        "version": ">= 4.0.0, < 4.36.0",
        "status": "affected"
      }
    ]
  }
]