Withdrawn Advisory: CraftCMS Server-Side Template Injection vulnerability

2023-06-1318:30:39

Google

osv.dev

craftcms

ssti

dispute

rce

user settings

0.004 Low

EPSS

Percentile

73.6%

JSON

Withdrawn

This advisory has been withdrawn because the CVE has been disputed and the underlying vulnerability is likely invalid. This link is maintained to preserve external references.

According to maintainers of Craft CMS, only administrators can access Settings, and those administrators may have business needs for their permissions. Additionally, the underlying issue likely has little to no real-world security impact.

Original Description

CraftCMS is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution.

CPENameOperatorVersion
craftcms/cmseq1.0.26.1
craftcms/cmseq1.2.0-alpha.2310
craftcms/cmseq1.2.0-alpha.2312
craftcms/cmseq1.2.0-alpha.2316
craftcms/cmseq1.2.0-alpha.2318
craftcms/cmseq1.2.0-alpha.2319
craftcms/cmseq1.2.0-alpha.2322
craftcms/cmseq1.2.0-alpha.2323
craftcms/cmseq1.2.0-alpha.2324
craftcms/cmseq1.2.0-alpha.2328

Name	Operator	Version
craftcms/cms	eq	1.0.26.1
craftcms/cms	eq	1.2.0-alpha.2310
craftcms/cms	eq	1.2.0-alpha.2312
craftcms/cms	eq	1.2.0-alpha.2316
craftcms/cms	eq	1.2.0-alpha.2318
craftcms/cms	eq	1.2.0-alpha.2319
craftcms/cms	eq	1.2.0-alpha.2322
craftcms/cms	eq	1.2.0-alpha.2323
craftcms/cms	eq	1.2.0-alpha.2324
craftcms/cms	eq	1.2.0-alpha.2328