CVE-2025-35939

Warnung

Medienbericht

EPSS 33.05%
Veröffentlicht 07.05.2025 22:41:29
Zuletzt bearbeitet 03.06.2025 20:59:34
Quelle 9119a7d8-5eab-497f-8521-727c67
Teams Watchlist Login
Unerledigt Login

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Craftcms ≫ Craft Cms Version < 4.15.3

Craftcms ≫ Craft Cms Version >= 5.0.0 < 5.7.5

02.06.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability

Schwachstelle

Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	33.05%	0.968

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
9119a7d8-5eab-497f-8521-727c672e3725	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
9119a7d8-5eab-497f-8521-727c672e3725	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-472 External Control of Assumed-Immutable Web Parameter

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

https://www.heise.de/news/Warnung-vor-Angriffen-auf-Connectwise-Craft-CMS-und-Asus-Router-10424978.html

Medienbericht

heise Security

https://github.com/craftcms/cms/pull/17220

Patch

https://github.com/craftcms/cms/releases/tag/4.15.3

Release Notes

https://github.com/craftcms/cms/releases/tag/5.7.5

Release Notes

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json

Third Party Advisory

https://www.cve.org/CVERecord?id=CVE-2025-35939

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2025-35939

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-35939

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-35939

EUVD