Warning: Critical RCE vulnerability in Craft CMS

Published : 14/09/2023

Reference:
Advisory #2023-107

Version:
1.0

Affected software:
Craft CMS

Type:
Remote code execution

CVE/CVSS:
CVE-2023-41892: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Sources

https://github.com/advisories/GHSA-4w8r-3xrw-v25g

Risks

A vulnerability in Craft CMS can be remotely exploited by an attacker to upload and execute code. The complexity to exploit this vulnerability is low. The impact on the confidentiality and integrity of your or your customers data is high. Typically the Craft CMS is exposed to the public on the Internet.

Description

The Craft CMS that allows an attacker to upload code and execute the code under control of the attacker.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends to upgrade to the Craft CMS 4.4.15 as soon as possible.

References

https://github.com/advisories/GHSA-4w8r-3xrw-v25g

https://nvd.nist.gov/vuln/detail/CVE-2023-41892

https://blog.calif.io/p/craftcms-rce