Lucene search

K

Craft CMS - Remote Code Execution via Template Path Manipulation

🗓️ 29 Dec 2024 16:28:51Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 23 Views

Critical Remote Code Execution in Craft CMS via Template Path Manipulation by leveraging malicious Twig templates.

Show more
Related
Refs
Code
id: CVE-2024-56145

info:
  name: Craft CMS - Remote Code Execution via Template Path Manipulation
  author: jackhax
  severity: critical
  description: |
    This template identifies a critical Remote Code Execution (RCE) vulnerability in Craft CMS, identified as GHSA-2p6p-9rc9-62j9.
    The vulnerability exists due to improper handling of the `--templatesPath` query parameter, allowing attackers to execute arbitrary code by referencing malicious Twig templates.
  impact: |
    Successful exploitation of this vulnerability could allow an unauthenticated attacker to perform remote code execution.
  remediation: |
    Upgrade CraftCMS to either >5.5.2 or >4.13.2 or >3.9.14. Or If you can't upgrade yet, and register_argc_argv is enabled, you can disable it to mitigate the issue.
  reference:
    - https://github.com/advisories/GHSA-2p6p-9rc9-62j9
    - https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms
    - https://github.com/Chocapikk/CVE-2024-56145
    - https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
    - https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    cvss-score: 9.3
    cve-id: CVE-2024-56145
    cwe-id: CWE-94
    epss-score: 0.00043
    epss-percentile: 0.10941
    cpe: cpe:2.3:a:craftcms:craft:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: craftcms
    product: cms
    shodan-query:
      - http.html:"craftcms"
      - http.favicon.hash:"-47932290"
    fofa-query:
      - icon_hash=-47932290
      - body=craftcms
    publicwww-query: craftcms
  tags: cve,cve2024,rce,craftcms,ssti

variables:
  nonce: "{{rand_int(1000000000,9999999999)}}"

http:
  - raw:
      - |
        GET ?--configPath=/nuclei_test/{{nonce}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{{nonce}}'
          - 'mkdir()'
          - 'Permission denied'
          - 'No such file or directory'
        condition: and

      - type: status
        status:
          - 503
# digest: 4a0a00473045022100b98233f44cd9e9c639b4f5314d63cbbcb1d3a87a9598d0ac0f3daf7849705545022039f1c02aebb4b3ee28f874d6543dc94e306a8849e6c3be0f2f9c79a54915483b:922c64590222798bb761d5b6d8e72950

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
29 Dec 2024 16:51Current
7.4High risk
Vulners AI Score7.4
CVSS49.3
SSVC
23
.json
Report