Platform
php
Component
craftcms/cms
Fixed in
4.0.1
5.0.1
4.12.2
CVE-2024-52293 is a Remote Code Execution (RCE) vulnerability in Craft CMS, stemming from a missing normalizePath function within the FileHelper::absolutePath method. This flaw allows for Server-Side Template Injection (SSTI) via Twig templates, potentially enabling an attacker to execute arbitrary code on the server. The vulnerability affects versions of Craft CMS up to and including 4.9.7, and a fix is available in version 4.12.2.
Successful exploitation of CVE-2024-52293 could allow an authenticated administrator to execute arbitrary code on the server hosting the Craft CMS instance. This could lead to complete system compromise, including data exfiltration, modification, or deletion. The attack leverages Twig SSTI, a well-understood attack vector, making it potentially easier for attackers to exploit. Given the post-authentication requirement (ALLOWADMINCHANGES=true), an attacker would need to first gain access to an administrator account, but once achieved, the impact is severe. This vulnerability is a sequel to CVE-2023-40035, indicating a recurring pattern of template injection issues within Craft CMS.
CVE-2024-52293 was publicly disclosed on 2024-11-13. The vulnerability is considered to have a medium exploitation probability based on the requirement for administrator privileges and the need to craft a specific SSTI payload. Public proof-of-concept exploits are likely to emerge given the nature of the vulnerability and its connection to CVE-2023-40035. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
17.44% (95% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-52293 is to upgrade Craft CMS to version 4.12.2 or later. If an immediate upgrade is not possible, consider implementing temporary workarounds. While a direct WAF rule targeting Twig SSTI is complex, ensure your WAF is configured to monitor for suspicious template rendering activity. Review and restrict user input used in Twig templates to minimize the attack surface. After upgrading, confirm the fix by attempting to trigger the SSTI vulnerability via a crafted Twig template; the attempt should fail with an appropriate error message.
Actualice Craft CMS a la versión 4.12.2 o superior, o a la versión 5.4.3 o superior. Esto corregirá la vulnerabilidad de ejecución remota de código. Realice una copia de seguridad antes de actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-52293 is a Remote Code Execution vulnerability in Craft CMS stemming from missing path normalization, allowing Server-Side Template Injection (SSTI) via Twig templates.
You are affected if you are running Craft CMS versions 4.9.7 or earlier. Upgrade to 4.12.2 or later to mitigate the risk.
Upgrade Craft CMS to version 4.12.2 or later. Consider temporary workarounds like restricting user input in Twig templates if an immediate upgrade is not possible.
While active exploitation is not yet confirmed, the vulnerability's nature and connection to CVE-2023-40035 suggest a high likelihood of exploitation.
Refer to the Craft CMS security advisory on GitHub: https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.