Platform
php
Component
craftcms/cms
Fixed in
5.0.1
3.5.14
5.4.9
CVE-2024-52292 is a high-severity vulnerability affecting Craft CMS versions 5.4.8 and earlier. This vulnerability allows attackers with write access to system notification templates to read arbitrary operating system files. By abusing the dataUrl function within these templates, attackers can exfiltrate file content as Base64-encoded strings via triggered system email notifications. A patch is available in version 5.4.9.
The impact of CVE-2024-52292 is significant due to the potential for sensitive data exposure. An attacker who can modify system notification templates can read any file accessible to the web server process. This could include configuration files containing database credentials, API keys, or other sensitive information. Successful exploitation could lead to complete system compromise, data breaches, and unauthorized access to internal resources. The ability to exfiltrate data via email provides a relatively stealthy attack vector, making detection more challenging. This vulnerability shares similarities with other file disclosure vulnerabilities where template engines or data serialization functions are misused to access arbitrary files.
CVE-2024-52292 was publicly disclosed on November 13, 2024. There is currently no indication of active exploitation in the wild, but the availability of a relatively straightforward exploitation technique increases the risk. No public proof-of-concept code has been released as of this writing. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.32% (55% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-52292 is to upgrade Craft CMS to version 5.4.9 or later, which includes the fix. If upgrading immediately is not possible, restrict write access to system notification templates to authorized users only. Implement strict input validation and sanitization on any user-provided data used in template rendering. Consider using a Web Application Firewall (WAF) to detect and block requests containing suspicious patterns related to file access. Monitor system logs for unusual activity, particularly related to email notifications and file access attempts. After upgrade, confirm the fix by attempting to trigger a system notification with a template containing the vulnerable dataUrl function and verifying that file access is denied.
Update Craft CMS to version 5.4.9 or higher, or to version 4.12.8 or higher. This fixes the vulnerability that allows arbitrary file reading. The update can be performed through the Craft CMS control panel or using Composer.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-52292 is a high-severity vulnerability in Craft CMS versions 5.4.8 and earlier that allows attackers to read arbitrary operating system files by abusing notification templates.
You are affected if you are using Craft CMS version 5.4.8 or earlier and have users with write access to system notification templates.
Upgrade Craft CMS to version 5.4.9 or later to remediate the vulnerability. Restrict write access to notification templates as an interim measure.
There is currently no indication of active exploitation in the wild, but the vulnerability is considered high-risk due to the ease of exploitation.
Refer to the official Craft CMS security advisory: [https://craftcms.com/support/security](https://craftcms.com/support/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.