10

CVE-2023-41892

Craft CMS Remote Code Execution vulnerability

Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CraftcmsCraft Cms Version >= 4.4.0 < 4.4.15
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 92.92% 0.998
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com 10 3.9 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

http://packetstormsecurity.com/files/176303/Craft-CMS-4.4.14-Remote-Code-Execution.html
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical
Release Notes
https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857
Patch
https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e
Patch
https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1
Patch
https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476
Patch
https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
Patch
Vendor Advisory