Description

Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.

Remediation

References

CVE-2024-52293

Related Vulnerabilities

Jenkins Incorrect Authorization Vulnerability (CVE-2018-1999003)

Jenkins Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-1000362)

MySQL CVE-2022-21314 Vulnerability (CVE-2022-21314)

WordPress Plugin Yoast SEO Cross-Site Scripting (22.5)

WordPress Plugin WP Google Maps Unspecified Vulnerability (8.0.25)

Severity

High

Classification

CVE-2024-52293 CWE-22 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities