CVE-2023-41892

EPSS 93.76%
Veröffentlicht 13.09.2023 20:15:08
Zuletzt bearbeitet 21.11.2024 08:21:52
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Craftcms ≫ Craft Cms Version >= 4.4.0 < 4.4.15

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	93.76%	0.999

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

http://packetstormsecurity.com/files/176303/Craft-CMS-4.4.14-Remote-Code-Execution.html

https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical

Release Notes

https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857

Patch

https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e

Patch

https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1

Patch

https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476

Patch

https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g