Critical Remote Code Execution in Craft CMS via Template Path Manipulation by leveraging malicious Twig templates.
Reporter | Title | Published | Views | Family All 9 |
---|---|---|---|---|
Veracode | Remote Code Execution (RCE) | 7 Jan 202502:56 | – | veracode |
NVD | CVE-2024-56145 | 18 Dec 202421:15 | – | nvd |
Github Security Blog | Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled | 18 Dec 202419:47 | – | github |
Vulnrichment | CVE-2024-56145 RCE when PHP `register_argc_argv` config setting is enabled in craftcms/cms | 18 Dec 202420:37 | – | vulnrichment |
GithubExploit | Exploit for CVE-2024-56145 | 20 Dec 202403:34 | – | githubexploit |
GithubExploit | Exploit for CVE-2024-56145 | 22 Dec 202411:53 | – | githubexploit |
Cvelist | CVE-2024-56145 RCE when PHP `register_argc_argv` config setting is enabled in craftcms/cms | 18 Dec 202420:37 | – | cvelist |
OSV | Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled | 18 Dec 202419:47 | – | osv |
CVE | CVE-2024-56145 | 18 Dec 202421:15 | – | cve |
id: CVE-2024-56145
info:
name: Craft CMS - Remote Code Execution via Template Path Manipulation
author: jackhax
severity: critical
description: |
This template identifies a critical Remote Code Execution (RCE) vulnerability in Craft CMS, identified as GHSA-2p6p-9rc9-62j9.
The vulnerability exists due to improper handling of the `--templatesPath` query parameter, allowing attackers to execute arbitrary code by referencing malicious Twig templates.
impact: |
Successful exploitation of this vulnerability could allow an unauthenticated attacker to perform remote code execution.
remediation: |
Upgrade CraftCMS to either >5.5.2 or >4.13.2 or >3.9.14. Or If you can't upgrade yet, and register_argc_argv is enabled, you can disable it to mitigate the issue.
reference:
- https://github.com/advisories/GHSA-2p6p-9rc9-62j9
- https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms
- https://github.com/Chocapikk/CVE-2024-56145
- https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
- https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
classification:
cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
cvss-score: 9.3
cve-id: CVE-2024-56145
cwe-id: CWE-94
epss-score: 0.00043
epss-percentile: 0.10941
cpe: cpe:2.3:a:craftcms:craft:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: craftcms
product: cms
shodan-query:
- http.html:"craftcms"
- http.favicon.hash:"-47932290"
fofa-query:
- icon_hash=-47932290
- body=craftcms
publicwww-query: craftcms
tags: cve,cve2024,rce,craftcms,ssti
variables:
nonce: "{{rand_int(1000000000,9999999999)}}"
http:
- raw:
- |
GET ?--configPath=/nuclei_test/{{nonce}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{nonce}}'
- 'mkdir()'
- 'Permission denied'
- 'No such file or directory'
condition: and
- type: status
status:
- 503
# digest: 4a0a00473045022100b98233f44cd9e9c639b4f5314d63cbbcb1d3a87a9598d0ac0f3daf7849705545022039f1c02aebb4b3ee28f874d6543dc94e306a8849e6c3be0f2f9c79a54915483b:922c64590222798bb761d5b6d8e72950
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo