Platform
php
Component
craftcms/cms
Fixed in
5.0.1
4.0.1
5.4.6
CVE-2024-52291 is a critical vulnerability discovered in CraftCMS that allows attackers to bypass local file system validation. This bypass is achieved through the use of a double file:// scheme, enabling malicious file overwrites and potentially unauthorized access to sensitive files. The vulnerability impacts CraftCMS versions 5.4.5.1 and earlier, and a fix is available in version 5.4.6.
The primary impact of CVE-2024-52291 stems from the ability to bypass file system validation. An attacker exploiting this vulnerability can leverage a double file:// scheme to specify arbitrary directories on the server's file system as the target for file operations. This can lead to several severe consequences, including the overwriting of critical configuration files, the exfiltration of sensitive data stored on the server, and, under specific conditions, the injection of malicious code via Server-Side Template Injection (SSTI). Successful exploitation could grant an attacker complete control over the affected CraftCMS instance, potentially leading to data breaches, system compromise, and denial of service.
CVE-2024-52291 was publicly disclosed on November 13, 2024. While no active exploitation campaigns have been confirmed at the time of writing, the vulnerability's ease of exploitation and potential for significant impact make it a high-priority concern. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2024-52291 is to immediately upgrade CraftCMS to version 5.4.6 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider temporarily disabling the allowAdminChanges setting in the configuration file. While this reduces functionality, it mitigates the risk of unauthorized file modifications. Implement strict file upload validation and sanitization routines to further reduce the attack surface. Monitor file system activity for suspicious modifications, particularly in sensitive directories.
Actualice Craft CMS a la versión 5.4.6 o superior, o a la versión 4.12.5 o superior. Esto corrige la vulnerabilidad de omisión de validación del sistema de archivos local. Asegúrese de deshabilitar la opción `allowAdminChanges` si no es necesaria.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-52291 is a HIGH severity vulnerability in CraftCMS that allows attackers to bypass file system validation using a double file:// scheme, potentially leading to file overwrites and unauthorized access.
Yes, if you are running CraftCMS version 5.4.5.1 or earlier, you are affected by this vulnerability. Upgrade to 5.4.6 to mitigate the risk.
The recommended fix is to upgrade CraftCMS to version 5.4.6 or later. As a temporary workaround, disable the allowAdminChanges setting in your configuration file.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a high-priority concern. Monitor your systems for suspicious activity.
Refer to the official CraftCMS security advisory for detailed information and updates: https://craftcms.com/docs/5.x/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.