Lucene search

Veracode Vulnerability DatabaseVERACODE:44273

HistoryNov 15, 2023 - 7:10 a.m.

Remote Code Execution (RCE)

2023-11-1507:10:46

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

remote code execution

statamic/cms

forms feature

asset upload

control panel

arbitrary code

image files

vulnerability

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

Low

EPSS

0.001

Percentile

23.1%

JSON

statamic/cms is vulnerable to Remote Code Execution (RCE). This vulnerability impacts both front-end forms employing the Forms feature and asset upload fields in the control panel. Malicious actors can exploit this loophole to introduce and execute arbitrary code via uploading image files.

References

github.com/advisories/GHSA-2r53-9295-3m86

github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411

github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6

github.com/statamic/cms/pull/8991

github.com/statamic/cms/pull/8992

github.com/statamic/cms/releases/tag/v3.4.14

github.com/statamic/cms/releases/tag/v4.34.0

github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

Low

EPSS

0.001

Percentile

23.1%

JSON

Related for VERACODE:44273