CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrators are allowed to do that by default.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2023-06-13T00:00:00
Updated: 2024-08-02T14:21:44.660Z
Reserved: 2023-04-07T00:00:00
Link: CVE-2023-30179
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-06-13T17:15:14.600
Modified: 2024-08-02T15:15:39.230
Link: CVE-2023-30179
Redhat
No data.