CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrators are allowed to do that by default.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-06-13T00:00:00

Updated: 2024-08-02T14:21:44.660Z

Reserved: 2023-04-07T00:00:00

Link: CVE-2023-30179

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-06-13T17:15:14.600

Modified: 2024-08-02T15:15:39.230

Link: CVE-2023-30179

cve-icon Redhat

No data.