Description
Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.
Remediation
References
Related Vulnerabilities
Jenkins Incorrect Authorization Vulnerability (CVE-2018-1999003)
Jenkins Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-1000362)
MySQL CVE-2022-21314 Vulnerability (CVE-2022-21314)
WordPress Plugin Yoast SEO Cross-Site Scripting (22.5)
WordPress Plugin WP Google Maps Unspecified Vulnerability (8.0.25)